diff options
Diffstat (limited to 'src/libstrongswan/credentials')
20 files changed, 1632 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c new file mode 100644 index 000000000..c4c3ba176 --- /dev/null +++ b/src/libstrongswan/credentials/builder.c @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "builder.h" + +ENUM(builder_part_names, BUILD_BLOB_ASN1_DER, BUILD_END, + "BUILD_BLOB_ASN1_DER", + "BUILD_KEY_SIZE", + "BUILD_SIGNING_KEY", + "BUILD_SIGNING_CERT", + "BUILD_PUBLIC_KEY", + "BUILD_SUBJECT", + "BUILD_SUBJECT_ALTNAME", + "BUILD_ISSUER", + "BUILD_ISSUER_ALTNAME", + "BUILD_CA_CERT", + "BUILD_CERT", + "BUILD_END", +); diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h new file mode 100644 index 000000000..14c3d2496 --- /dev/null +++ b/src/libstrongswan/credentials/builder.h @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup builder builder + * @{ @ingroup credentials + */ + +#ifndef BUILDER_H_ +#define BUILDER_H_ + +typedef struct builder_t builder_t; +typedef enum builder_part_t builder_part_t; + +/** + * Constructor function which creates a new builder instance. + * + * @param subtype constructor specific subtype, e.g. certificate_type_t + * @return builder to construct a instance of type + */ +typedef builder_t* (*builder_constructor_t)(int subtype); + +#include <library.h> + +/** + * Parts to build credentials from. + */ +enum builder_part_t { + /** DER encoded ASN1 blob, argument is a chunk_t */ + BUILD_BLOB_ASN1_DER, + /** key size in bits, as used for key generation, as u_int */ + BUILD_KEY_SIZE, + /** private key to use for signing, private_key_t* */ + BUILD_SIGNING_KEY, + /** certificate used for signing, certificate_t* */ + BUILD_SIGNING_CERT, + /** public key to include, public_key_t* */ + BUILD_PUBLIC_KEY, + /** subject for e.g. certificates, identification_t* */ + BUILD_SUBJECT, + /** additional subject name, identification_t* */ + BUILD_SUBJECT_ALTNAME, + /** issuer for e.g. certificates, identification_t* */ + BUILD_ISSUER, + /** additional issuer name, identification_t* */ + BUILD_ISSUER_ALTNAME, + /** a CA certificate, certificate_t* */ + BUILD_CA_CERT, + /** a certificcate, certificate_t* */ + BUILD_CERT, + /** end of variable argument builder list */ + BUILD_END, +}; + +/** + * enum names for build_part_t + */ +extern enum_name_t *builder_part_names; + +/** + * Credential construction API. + * + * The builder allows the construction of credentials in a generic and + * flexible way. + */ +struct builder_t { + + /** + * Add a part to the construct. + * + * Any added parts get owned by the builder/construct, so clone/refcount + * them if needed. + * + * @param part kind of part + * @param ... part specific variable argument + */ + void (*add)(builder_t *this, builder_part_t part, ...); + + /** + * Build the construct with all supplied parts. + * + * Once build() is called, the builder gets destroyed. + * + * @return specific interface, as requested with constructor. + */ + void* (*build)(builder_t *this); +}; + +#endif /* BUILDER_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c new file mode 100644 index 000000000..649ab3069 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "certificate.h" + +#include <credentials/certificates/x509.h> + +ENUM(certificate_type_names, CERT_ANY, CERT_PGP, + "ANY", + "X509", + "X509_CRL", + "X509_OCSP_REQUEST", + "X509_OCSP_RESPONSE", + "X509_AC", + "X509_CHAIN", + "TRUSTED_PUBKEY", + "PGP", +); + +ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_SKIPPED, + "GOOD", + "REVOKED", + "FAILED", + "SKIPPED", +); + diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h new file mode 100644 index 000000000..94f19a068 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -0,0 +1,190 @@ +/* + * Copyright (C) 2007-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup certificate certificate + * @{ @ingroup certificates + */ + +#ifndef CERTIFICATE_H_ +#define CERTIFICATE_H_ + +typedef struct certificate_t certificate_t; +typedef enum certificate_type_t certificate_type_t; +typedef enum cert_validation_t cert_validation_t; + +#include <library.h> +#include <utils/identification.h> +#include <credentials/keys/public_key.h> + +/** + * Kind of a certificate_t + */ +enum certificate_type_t { + /** just any certificate */ + CERT_ANY, + /** X.509 certificate */ + CERT_X509, + /** X.509 certificate revocation list */ + CERT_X509_CRL, + /** X.509 online certificate status protocol request */ + CERT_X509_OCSP_REQUEST, + /** X.509 online certificate status protocol response */ + CERT_X509_OCSP_RESPONSE, + /** X.509 attribute certificate */ + CERT_X509_AC, + /** trusted, preinstalled public key */ + CERT_TRUSTED_PUBKEY, + /** PGP certificate */ + CERT_PGP, +}; + +/** + * Enum names for certificate_type_t + */ +extern enum_name_t *certificate_type_names; + +/** + * Result of a certificate validation. + */ +enum cert_validation_t { + /** certificate has been validated successfully */ + VALIDATION_GOOD, + /** validation failed, certificate is revoked */ + VALIDATION_REVOKED, + /* ocsp status is unknown or crl is stale */ + VALIDATION_UNKNOWN, + /** validation process failed due to an error */ + VALIDATION_FAILED, + /** validation has been skipped (no cdps available) */ + VALIDATION_SKIPPED, +}; + +/** + * Enum names for cert_validation_t + */ +extern enum_name_t *cert_validation_names; + +/** + * An abstract certificate. + * + * A certificate designs a subject-issuer relationship. It may have an + * associated public key. + */ +struct certificate_t { + + /** + * Get the type of the certificate. + * + * @return certifcate type + */ + certificate_type_t (*get_type)(certificate_t *this); + + /** + * Get the primary subject to which this certificate belongs. + * + * @return subject identity + */ + identification_t* (*get_subject)(certificate_t *this); + + /** + * Check if certificate contains a subject ID. + * + * A certificate may contain additional subject identifiers, which are + * not returned by get_subject (e.g. subjectAltNames) + * + * @param subject subject identity + * @return matching value of best match + */ + id_match_t (*has_subject)(certificate_t *this, identification_t *subject); + + /** + * Get the issuer which signed this certificate. + * + * @return issuer identity + */ + identification_t* (*get_issuer)(certificate_t *this); + + /** + * Check if certificate contains an issuer ID. + * + * A certificate may contain additional issuer identifiers, which are + * not returned by get_issuer (e.g. issuerAltNames) + * + * @param subject isser identity + * @return matching value of best match + */ + id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer); + + /** + * Check if this certificate is issued by a specific issuer. + * + * As signature verification is computional expensive, it is optional + * and may be skipped. While this is not sufficient for verification + * purposes, it is to e.g. find matching certificates. + * + * @param issuer issuer's certificate + * @param checksig TRUE to verify signature, FALSE to compare issuer only + * @return TRUE if certificate issued by issuer and trusted + */ + bool (*issued_by)(certificate_t *this, certificate_t *issuer, bool checksig); + + /** + * Get the public key associated to this certificate. + * + * @return newly referenced public_key, NULL if none available + */ + public_key_t* (*get_public_key)(certificate_t *this); + + /** + * Check the lifetime of the certificate. + * + * @param when check validity at a certain time (NULL for now) + * @param not_before receives certificates start of lifetime + * @param not_after receives certificates end of lifetime + * @return TRUE if when between not_after and not_before + */ + bool (*get_validity)(certificate_t *this, time_t *when, + time_t *not_before, time_t *not_after); + + /** + * Get the certificate in an encoded form. + * + * @return allocated chunk of encoded cert + */ + chunk_t (*get_encoding)(certificate_t *this); + + /** + * Check if two certificates are equal. + * + * @param other certificate to compair against this + * @return TRUE if certificates are equal + */ + bool (*equals)(certificate_t *this, certificate_t *other); + + /** + * Get a new reference to the certificate. + * + * @return this, with an increased refcount + */ + certificate_t* (*get_ref)(certificate_t *this); + + /** + * Destroy a certificate. + */ + void (*destroy)(certificate_t *this); +}; + +#endif /* CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c new file mode 100644 index 000000000..48fb24a5d --- /dev/null +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2008 Martin Willi + * Copyright (C) 2006 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "crl.h" + +ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL, + "unspecified", + "key compromise", + "ca compromise", + "affiliation changed", + "superseded", + "cessation of operation", + "certificate hold", + "reason #7", + "remove from crl", +); + diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h new file mode 100644 index 000000000..752293ffb --- /dev/null +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -0,0 +1,93 @@ +/* + * Copyright (C) 2008 Martin Willi + * Copyright (C) 2006 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup crl crl + * @{ @ingroup certificates + */ + +#ifndef CRL_H_ +#define CRL_H_ + +typedef struct crl_t crl_t; +typedef enum crl_reason_t crl_reason_t; + +#include <library.h> +#include <utils/linked_list.h> + +/** + * RFC 2459 CRL reason codes + */ +enum crl_reason_t { + CRL_UNSPECIFIED = 0, + CRL_KEY_COMPROMISE = 1, + CRL_CA_COMPROMISE = 2, + CRL_AFFILIATION_CHANGED = 3, + CRL_SUPERSEDED = 4, + CRL_CESSATION_OF_OPERATON = 5, + CRL_CERTIFICATE_HOLD = 6, + CRL_REMOVE_FROM_CRL = 8, +}; + +/** + * enum names for crl_reason_t + */ +extern enum_name_t *crl_reason_names; + +/** + * X509 certificate revocation list (CRL) interface definition. + */ +struct crl_t { + + /** + * Implements (parts of) the certificate_t interface + */ + certificate_t certificate; + + /** + * Is that newer than this? + * + * @return TRUE if newer, FALSE otherwise + */ + bool (*is_newer)(crl_t *this, crl_t *that); + + /** + * Get the CRL serial number. + * + * @return chunk pointing to internal crlNumber + */ + chunk_t (*get_serial)(crl_t *this); + + /** + * Get the the authorityKeyIdentifier. + * + * @return authKeyIdentifier as identification_t* + */ + identification_t* (*get_authKeyIdentifier)(crl_t *this); + + /** + * Create an enumerator over all revoked certificates. + * + * The enumerator takes 3 pointer arguments: + * chunk_t serial, time_t revocation_date, crl_reason_t reason + * + * @return enumerator over revoked certificates. + */ + enumerator_t* (*create_enumerator)(crl_t *this); + +}; + +#endif /* CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/ocsp_request.c b/src/libstrongswan/credentials/certificates/ocsp_request.c new file mode 100644 index 000000000..0958be4a0 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/ocsp_request.c @@ -0,0 +1,19 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "ocsp_request.h" + diff --git a/src/libstrongswan/credentials/certificates/ocsp_request.h b/src/libstrongswan/credentials/certificates/ocsp_request.h new file mode 100644 index 000000000..377eabd23 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/ocsp_request.h @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup ocsp_request ocsp_request + * @{ @ingroup certificates + */ + +#ifndef OCSP_REQUEST_H_ +#define OCSP_REQUEST_H_ + +#include <credentials/certificates/certificate.h> + +typedef struct ocsp_request_t ocsp_request_t; + +/** + * OCSP request message. + */ +struct ocsp_request_t { + + /** + * Implements certificiate_t interface + */ + certificate_t interface; +}; + +#endif /* OCSP_REQUEST_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.c b/src/libstrongswan/credentials/certificates/ocsp_response.c new file mode 100644 index 000000000..02e12f761 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/ocsp_response.c @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "ocsp_response.h" + +ENUM(ocsp_status_names, OCSP_SUCCESSFUL, OCSP_UNAUTHORIZED, + "successful", + "malformed request", + "internal error", + "try later", + "status #4", + "signature required", + "unauthorized" +); + diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h new file mode 100644 index 000000000..416f712f3 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/ocsp_response.h @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup ocsp_response ocsp_response + * @{ @ingroup certificates + */ + +#ifndef OCSP_RESPONSE_H_ +#define OCSP_RESPONSE_H_ + +#include <credentials/certificates/x509.h> +#include <credentials/certificates/crl.h> + +typedef struct ocsp_response_t ocsp_response_t; +typedef enum ocsp_status_t ocsp_status_t; + +/** + * OCSP response status + */ +enum ocsp_status_t { + OCSP_SUCCESSFUL = 0, + OCSP_MALFORMEDREQUEST = 1, + OCSP_INTERNALERROR = 2, + OCSP_TRYLATER = 3, + OCSP_SIGREQUIRED = 5, + OCSP_UNAUTHORIZED = 6, +}; + +/** + * enum names for ocsp_status_t + */ +extern enum_name_t *ocsp_status_names; + +/** + * OCSP response message. + */ +struct ocsp_response_t { + + /** + * Implements certificiate_t interface + */ + certificate_t certificate; + + /** + * Check the status of a certificate by this OCSP response. + * + * @param subject certificate to check status + * @param issuer issuer certificate of subject + * @param revocation_time receives time of revocation, if revoked + * @param revocation_reason receives reason of revocation, if revoked + * @param this_update creation time of revocation list + * @param next_update exptected time of next revocation list + * @return certificate revocation status + */ + cert_validation_t (*get_status)(ocsp_response_t *this, + x509_t *subject, x509_t *issuer, + time_t *revocation_time, + crl_reason_t *revocation_reason, + time_t *this_update, time_t *next_update); + + /** + * Create an enumerator over the contained certificates. + * + * @return enumerator over certificate_t* + */ + enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this); +}; + +#endif /* OCSP_RESPONSE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c new file mode 100644 index 000000000..a5f4fc1d0 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "x509.h" + +ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED, + "X509_CA", + "X509_AA", + "X509_OCSP_SIGNER", + "X509_SELF_SIGNED", +); diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h new file mode 100644 index 000000000..a4f9d1ff3 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -0,0 +1,114 @@ +/* + * Copyright (C) 2007-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup x509 x509 + * @{ @ingroup certificates + */ + +#ifndef X509_H_ +#define X509_H_ + +#include <utils/enumerator.h> +#include <credentials/certificates/certificate.h> + +typedef struct x509_t x509_t; +typedef enum x509_flag_t x509_flag_t; + +/** + * X.509 certificate flags. + */ +enum x509_flag_t { + /** cert has CA constraint */ + X509_CA = (1<<0), + /** cert has AA constraint */ + X509_AA = (1<<1), + /** cert has OCSP signer constraint */ + X509_OCSP_SIGNER = (1<<2), + /** cert belongs to an end entity */ + X509_PEER = (1<<3), + /** cert is self-signed */ + X509_SELF_SIGNED = (1<<4), +}; + +/** + * enum names for x509 flags + */ +extern enum_name_t *x509_flag_names; + +/** + * X.509 certificate interface. + * + * This interface adds additional methods to the certificate_t type to + * allow further operations on these certificates. + */ +struct x509_t { + + /** + * Implements certificate_t. + */ + certificate_t interface; + + /** + * Get the flags set for this certificate. + * + * @return set of flags + */ + x509_flag_t (*get_flags)(x509_t *this); + + /** + * Set the flags for this certificate. + * + * @param flags set of flags + */ + void (*set_flags)(x509_t *this, x509_flag_t flags); + + /** + * Get the certificate serial number. + * + * @return chunk pointing to internal serial number + */ + chunk_t (*get_serial)(x509_t *this); + + /** + * Get the the authorityKeyIdentifier. + * + * @return authKeyIdentifier as identification_t* + */ + identification_t* (*get_authKeyIdentifier)(x509_t *this); + + /** + * Create an enumerator over all subjectAltNames. + * + * @return enumerator over subjectAltNames as identification_t* + */ + enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); + + /** + * Create an enumerator over all CRL URIs. + * + * @return enumerator over URIs as char* + */ + enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); + + /** + * Create an enumerator over all OCSP URIs. + * + * @return enumerator over URIs as char* + */ + enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this); +}; + +#endif /* X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c new file mode 100644 index 000000000..ab99a4211 --- /dev/null +++ b/src/libstrongswan/credentials/credential_factory.c @@ -0,0 +1,263 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "credential_factory.h" + +#include <debug.h> +#include <utils/linked_list.h> +#include <utils/mutex.h> + +typedef struct private_credential_factory_t private_credential_factory_t; + +/** + * private data of credential_factory + */ +struct private_credential_factory_t { + + /** + * public functions + */ + credential_factory_t public; + + /** + * list with entry_t + */ + linked_list_t *constructors; + + /** + * mutex to lock access to modules + */ + mutex_t *mutex; +}; + +typedef struct entry_t entry_t; +struct entry_t { + /** kind of credential builder */ + credential_type_t type; + /** subtype of credential, e.g. certificate_type_t */ + int subtype; + /** builder construction function */ + builder_constructor_t constructor; +}; + +/** + * Implementation of credential_factory_t.create_builder. + */ +static builder_t* create_builder(private_credential_factory_t *this, + credential_type_t type, int subtype) +{ + enumerator_t *enumerator; + entry_t *entry; + builder_t *builder = NULL; + + this->mutex->lock(this->mutex); + enumerator = this->constructors->create_enumerator(this->constructors); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->type == type && entry->subtype == subtype) + { + builder = entry->constructor(subtype); + if (builder) + { + break; + } + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + return builder; +} + +/** + * Implementation of credential_factory_t.add_builder_constructor. + */ +static void add_builder(private_credential_factory_t *this, + credential_type_t type, int subtype, + builder_constructor_t constructor) +{ + entry_t *entry = malloc_thing(entry_t); + + entry->type = type; + entry->subtype = subtype; + entry->constructor = constructor; + this->mutex->lock(this->mutex); + this->constructors->insert_last(this->constructors, entry); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of credential_factory_t.remove_builder. + */ +static void remove_builder(private_credential_factory_t *this, + builder_constructor_t constructor) +{ + enumerator_t *enumerator; + entry_t *entry; + + this->mutex->lock(this->mutex); + enumerator = this->constructors->create_enumerator(this->constructors); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->constructor == constructor) + { + this->constructors->remove_at(this->constructors, enumerator); + free(entry); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of credential_factory_t.create. + */ +static void* create(private_credential_factory_t *this, credential_type_t type, + int subtype, ...) +{ + builder_t *builder; + builder_part_t part; + va_list args; + + builder = create_builder(this, type, subtype); + if (builder) + { + va_start(args, subtype); + while (TRUE) + { + part = va_arg(args, builder_part_t); + + switch (part) + { + case BUILD_END: + break; + case BUILD_BLOB_ASN1_DER: + builder->add(builder, part, va_arg(args, chunk_t)); + continue; + case BUILD_KEY_SIZE: + builder->add(builder, part, va_arg(args, u_int)); + continue; + case BUILD_SIGNING_KEY: + case BUILD_PUBLIC_KEY: + case BUILD_SUBJECT: + case BUILD_SUBJECT_ALTNAME: + case BUILD_ISSUER: + case BUILD_ISSUER_ALTNAME: + case BUILD_SIGNING_CERT: + case BUILD_CA_CERT: + case BUILD_CERT: + builder->add(builder, part, va_arg(args, void*)); + continue; + default: + DBG1("builder part %N not supported by factory", + builder_part_names, part); + continue; + } + break; + } + va_end(args); + + return builder->build(builder); + } + + /** shredder all data on failure */ + va_start(args, subtype); + while (TRUE) + { + part = va_arg(args, builder_part_t); + + switch (part) + { + case BUILD_END: + break; + case BUILD_BLOB_ASN1_DER: + { + chunk_t chunk = va_arg(args, chunk_t); + free(chunk.ptr); + continue; + } + case BUILD_SIGNING_KEY: + { + private_key_t *private = va_arg(args, private_key_t*); + private->destroy(private); + continue; + } + case BUILD_PUBLIC_KEY: + { + public_key_t *public = va_arg(args, public_key_t*); + public->destroy(public); + continue; + } + case BUILD_SUBJECT: + case BUILD_SUBJECT_ALTNAME: + case BUILD_ISSUER: + case BUILD_ISSUER_ALTNAME: + { + identification_t *id = va_arg(args, identification_t*); + id->destroy(id); + continue; + } + case BUILD_SIGNING_CERT: + case BUILD_CA_CERT: + case BUILD_CERT: + { + certificate_t *cert = va_arg(args, certificate_t*); + cert->destroy(cert); + continue; + } + case BUILD_KEY_SIZE: + continue; + default: + DBG1("builder part %N not supported by factory", + builder_part_names, part); + continue; + } + break; + } + va_end(args); + return NULL; +} + +/** + * Implementation of credential_factory_t.destroy + */ +static void destroy(private_credential_factory_t *this) +{ + this->constructors->destroy_function(this->constructors, free); + this->mutex->destroy(this->mutex); + free(this); +} + +/* + * see header file + */ +credential_factory_t *credential_factory_create() +{ + private_credential_factory_t *this = malloc_thing(private_credential_factory_t); + + this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create; + this->public.create_builder = (builder_t*(*)(credential_factory_t*, credential_type_t type, int subtype))create_builder; + this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_constructor_t constructor))add_builder; + this->public.remove_builder = (void(*)(credential_factory_t*,builder_constructor_t constructor))remove_builder; + this->public.destroy = (void(*)(credential_factory_t*))destroy; + + this->constructors = linked_list_create(); + + this->mutex = mutex_create(MUTEX_RECURSIVE); + + return &this->public; +} + diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h new file mode 100644 index 000000000..394d0b075 --- /dev/null +++ b/src/libstrongswan/credentials/credential_factory.h @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup credential_factory credential_factory + * @{ @ingroup credentials + */ + +#ifndef CREDENTIAL_FACTORY_H_ +#define CREDENTIAL_FACTORY_H_ + +typedef struct credential_factory_t credential_factory_t; +typedef enum credential_type_t credential_type_t; + +#include <credentials/keys/private_key.h> +#include <credentials/keys/public_key.h> +#include <credentials/certificates/certificate.h> +#include <credentials/builder.h> + +/** + * Kind of credential. + */ +enum credential_type_t { + /** private key, implemented in private_key_t */ + CRED_PRIVATE_KEY, + /** public key, implemented in public_key_t */ + CRED_PUBLIC_KEY, + /** certificates, implemented in certificate_t */ + CRED_CERTIFICATE, +}; + +/** + * Manages credential construction functions and creates instances. + */ +struct credential_factory_t { + + /** + * Create a credential using a list of builder_part_t's. + * + * The variable argument list takes builder_part_t types followed + * by the type specific value. The list must be terminated using BUILD_END. + * + * @param type credential type to build + * @param subtype subtype specific for type of the credential + * @param ... build_part_t arguments, BUILD_END terminated. + * @return type specific credential, NULL if failed + */ + void* (*create)(credential_factory_t *this, credential_type_t type, + int subtype, ...); + + /** + * Create a builder instance to build credentials. + * + * @param type type of credentials the builder creates + * @param subtype type specific subtype, such as certificate_type_t + * @return builder instance + */ + builder_t* (*create_builder)(credential_factory_t *this, + credential_type_t type, int subtype); + /** + * Register a builder_t constructor function. + * + * @param type type of credential the builder creates + * @param constructor builder constructor function to register + */ + void (*add_builder)(credential_factory_t *this, + credential_type_t type, int subtype, + builder_constructor_t constructor); + /** + * Unregister a builder_t constructor function. + * + * @param constructor constructor function to unregister. + */ + void (*remove_builder)(credential_factory_t *this, + builder_constructor_t constructor); + + /** + * Destroy a credential_factory instance. + */ + void (*destroy)(credential_factory_t *this); +}; + +/** + * Create a credential_factory instance. + */ +credential_factory_t *credential_factory_create(); + +#endif /* CREDENTIAL_FACTORY_H_ @}*/ diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c new file mode 100644 index 000000000..9853bda10 --- /dev/null +++ b/src/libstrongswan/credentials/keys/private_key.c @@ -0,0 +1,19 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "private_key.h" + diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h new file mode 100644 index 000000000..fbb5abf02 --- /dev/null +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -0,0 +1,143 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup private_key private_key + * @{ @ingroup keys + */ + +#ifndef PRIVATE_KEY_H_ +#define PRIVATE_KEY_H_ + +typedef struct private_key_t private_key_t; + +#include <utils/identification.h> +#include <credentials/keys/public_key.h> + +/** + * Abstract private key interface. + */ +struct private_key_t { + + /** + * Get the key type. + * + * @return type of the key + */ + key_type_t (*get_type)(private_key_t *this); + + /** + * Create a signature over a chunk of data. + * + * @param scheme signature scheme to use + * @param data chunk of data to sign + * @param signature where to allocate created signature + * @return TRUE if signature created + */ + bool (*sign)(private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature); + /** + * Decrypt a chunk of data. + * + * @param crypto chunk containing encrypted data + * @param plain where to allocate decrypted data + * @return TRUE if data decrypted and plaintext allocated + */ + bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain); + + /** + * Get the strength of the key in bytes. + * + * @return strength of the key in bytes + */ + size_t (*get_keysize) (private_key_t *this); + + /** + * Get a unique key identifier, such as a hash over the public key. + * + * @param type type of the key ID to get + * @return unique ID of the key as identification_t, or NULL + */ + identification_t* (*get_id) (private_key_t *this, id_type_t type); + + /** + * Get the public part from the private key. + * + * @return public key + */ + public_key_t* (*get_public_key)(private_key_t *this); + + /** + * Check if a private key belongs to a public key. + * + * @param public public key + * @return TRUE, if keys belong together + */ + bool (*belongs_to) (private_key_t *this, public_key_t *public); + + /** + * Get an encoded form of the private key. + * + * @todo Do we need a encoding type specification? + * + * @return allocated chunk containing encoded private key + */ + chunk_t (*get_encoding)(private_key_t *this); + + /** + * Increase the refcount to this private key. + * + * @return this, with an increased refcount + */ + private_key_t* (*get_ref)(private_key_t *this); + + /** + * Decrease refcount, destroy private_key if no more references. + */ + void (*destroy)(private_key_t *this); +}; + +/** + * Read a private key from a file. + * + * @param type type of the key + * @param filename filename to read key from + * @param passphrase passphrase to decrypt an encrypted key + * @return loaded private key, NULL if failed + */ +private_key_t *private_key_create_from_file(key_type_t type, char *filename, + chunk_t passphrase); + +/** + * Create a private key from a chunk. + * + * @param type type of the key + * @param chunk chunk to create key from + * @return loaded private key, NULL if failed + */ +private_key_t *private_key_create_from_chunk(key_type_t type, chunk_t chunk); + +/** + * Generate a new private key. + * + * @param type type of the key + * @param size key size in bytes + * @return generated private key, NULL if failed + */ +private_key_t *private_key_create_generated(key_type_t type, size_t size); + +#endif /* PRIVATE_KEY_H_ @} */ diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c new file mode 100644 index 000000000..654b53c16 --- /dev/null +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "public_key.h" + +ENUM(key_type_names, KEY_RSA, KEY_RSA, + "RSA" +); + +ENUM(signature_scheme_names, SIGN_DEFAULT, SIGN_RSA_EMSA_PKCS1_SHA512, + "DEFAULT", + "RSA_EMSA_PKCS1_MD5", + "RSA_EMSA_PKCS1_SHA1", + "RSA_EMSA_PKCS1_SHA256", + "RSA_EMSA_PKCS1_SHA384", + "RSA_EMSA_PKCS1_SHA512", +); + diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h new file mode 100644 index 000000000..2083db5a1 --- /dev/null +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -0,0 +1,163 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup public_key public_key + * @{ @ingroup keys + */ + +#ifndef PUBLIC_KEY_H_ +#define PUBLIC_KEY_H_ + +typedef struct public_key_t public_key_t; +typedef enum key_type_t key_type_t; +typedef enum key_id_type_t key_id_type_t; +typedef enum signature_scheme_t signature_scheme_t; + +#include <library.h> +#include <utils/identification.h> + +/** + * Type of a key pair, the used crypto system + */ +enum key_type_t { + /** key type wildcard */ + KEY_ANY, + /** RSA crypto system as in PKCS#1 */ + KEY_RSA, + /** DSS, ElGamal, ECDSA, ... */ +}; + +/** + * Enum names for key_type_t + */ +extern enum_name_t *key_type_names; + +/** + * Signature scheme for signature creation + * + * EMSA-PKCS1 signatures are from the PKCS#1 standard. They include + * the ASN1-OID of the used hash algorithm. + */ +enum signature_scheme_t { + /** default scheme of that underlying crypto system */ + SIGN_DEFAULT, + /** EMSA-PKCS1 with MD5 */ + SIGN_RSA_EMSA_PKCS1_MD5, + /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA1 as hash. */ + SIGN_RSA_EMSA_PKCS1_SHA1, + /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA256 as hash. */ + SIGN_RSA_EMSA_PKCS1_SHA256, + /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA384 as hash. */ + SIGN_RSA_EMSA_PKCS1_SHA384, + /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA512 as hash. */ + SIGN_RSA_EMSA_PKCS1_SHA512, +}; + +/** + * Enum names for signature_scheme_t + */ +extern enum_name_t *signature_scheme_names; + +/** + * Abstract interface of a public key. + */ +struct public_key_t { + + /** + * Get the key type. + * + * @return type of the key + */ + key_type_t (*get_type)(public_key_t *this); + + /** + * Verifies a signature against a chunk of data. + * + * @param scheme signature scheme to use for verification, may be default + * @param data data to check signature against + * @param signature signature to check + * @return TRUE if signature matches + */ + bool (*verify)(public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t signature); + + /** + * Encrypt a chunk of data. + * + * @param crypto chunk containing plaintext data + * @param plain where to allocate encrypted data + * @return TRUE if data successfully encrypted + */ + bool (*encrypt)(public_key_t *this, chunk_t crypto, chunk_t *plain); + + /** + * Get the strength of the key in bytes. + * + * @return strength of the key in bytes + */ + size_t (*get_keysize) (public_key_t *this); + + /** + * Get a unique key identifier, such as a hash over the key. + * + * @param type type of the key ID to get + * @return unique ID of the key as identification_t, or NULL + */ + identification_t* (*get_id) (public_key_t *this, id_type_t type); + + /** + * Get an encoded form of the key. + * + * @todo Do we need a encoding type specification? + * + * @return allocated chunk containing encoded key + */ + chunk_t (*get_encoding)(public_key_t *this); + + /** + * Increase the refcount of the key. + * + * @return this with an increased refcount + */ + public_key_t* (*get_ref)(public_key_t *this); + + /** + * Destroy a public_key instance. + */ + void (*destroy)(public_key_t *this); +}; + +/** + * Read a public key from a file. + * + * @param type type of the key + * @param filename filename to read key from + * @return loaded public key, NULL if failed + */ +public_key_t *public_key_create_from_file(key_type_t type, char *filename); + +/** + * Create a public key from a chunk. + * + * @param type type of the key + * @param chunk chunk to create key from + * @return loaded public key, NULL if failed + */ +public_key_t *public_key_create_from_chunk(key_type_t type, chunk_t chunk); + +#endif /* PUBLIC_KEY_H_ @} */ diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c new file mode 100644 index 000000000..66b45a003 --- /dev/null +++ b/src/libstrongswan/credentials/keys/shared_key.c @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "shared_key.h" + +ENUM(shared_key_type_names, SHARED_ANY, SHARED_PIN, + "ANY", + "IKE", + "EAP", + "PRIVATE_KEY_PASS", + "PIN", +); + diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h new file mode 100644 index 000000000..86586a7c7 --- /dev/null +++ b/src/libstrongswan/credentials/keys/shared_key.h @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup shared_key shared_key + * @{ @ingroup keys + */ + +#ifndef SHARED_KEY_H_ +#define SHARED_KEY_H_ + +#include <utils/enumerator.h> +#include <utils/identification.h> + +typedef struct shared_key_t shared_key_t; +typedef enum shared_key_type_t shared_key_type_t; + +/** + * Type of a shared key. + */ +enum shared_key_type_t { + /** wildcard for all keys */ + SHARED_ANY, + /** PSK for IKE authentication */ + SHARED_IKE, + /** key for a EAP authentication method */ + SHARED_EAP, + /** key to decrypt encrypted private keys */ + SHARED_PRIVATE_KEY_PASS, + /** PIN to unlock a smartcard */ + SHARED_PIN, +}; + +/** + * enum names for shared_key_type_t + */ +extern enum_name_t *shared_key_type_names; + +/** + * A symmetric key shared between multiple owners. + * + * This class is not thread save, do not add owners while others might be + * reading. + */ +struct shared_key_t { + + /** + * Get the kind of this key. + * + * @return type of the key + */ + shared_key_type_t (*get_type)(shared_key_t *this); + + /** + * Get the shared key data. + * + * @return chunk pointing to the internal key + */ + chunk_t (*get_key)(shared_key_t *this); + + /** + * Increase refcount of the key. + * + * @return this with an increased refcount + */ + shared_key_t* (*get_ref)(shared_key_t *this); + + /** + * Destroy a shared_key instance if all references are gone. + */ + void (*destroy)(shared_key_t *this); +}; + +#endif /** SHARED_KEY_H_ @} */ |