ike_certificate.h
Go to the documentation of this file.
1 /**
2  * @file ike_certificate.h
3  * @brief X.509 certificate handling
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneIPSEC Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.4
29  **/
30 
31 #ifndef _IKE_CERTIFICATE_H
32 #define _IKE_CERTIFICATE_H
33 
34 //Dependencies
35 #include "ike/ike.h"
36 #include "pkix/x509_common.h"
37 
38 //C++ guard
39 #ifdef __cplusplus
40 extern "C" {
41 #endif
42 
43 //IKEv2 related functions
44 error_t ikeGetCertificateType(const X509CertInfo *certInfo,
45  IkeCertType *certType);
46 
47 error_t ikeGetCertSubjectDn(const char_t *cert, size_t certLen,
48  uint8_t *subjectDn, size_t *subjectDnLen);
49 
50 error_t ikeFormatCertAuthorities(const char_t *trustedCaList,
51  size_t trustedCaListLen, uint8_t *certAuth, size_t *certAuthLen);
52 
53 bool_t ikeIsDuplicateCa(const uint8_t *certAuth, size_t certAuthLen,
54  const uint8_t *digest);
55 
56 error_t ikeParseCertificateChain(IkeSaEntry *sa, IpsecPadEntry *padEntry,
57  const uint8_t *message, size_t length);
58 
59 error_t ikeValidateCertificate(IkeSaEntry *sa, IpsecPadEntry *padEntry,
60  const X509CertInfo *certInfo, uint_t pathLen);
61 
62 error_t ikeCheckKeyUsage(const X509CertInfo *certInfo);
63 
64 //C++ guard
65 #ifdef __cplusplus
66 }
67 #endif
68 
69 #endif
IkeCertType
IkeCertType
Certificate types.
Definition: ike.h:1222
x509_common.h
X.509 common definitions.
ikeCheckKeyUsage
error_t ikeCheckKeyUsage(const X509CertInfo *certInfo)
Check certificate key usage.
Definition: ike_certificate.c:811
bool_t
int bool_t
Definition: compiler_port.h:53
ikeIsDuplicateCa
bool_t ikeIsDuplicateCa(const uint8_t *certAuth, size_t certAuthLen, const uint8_t *digest)
Test whether the provided SHA-1 digest value is a duplicate.
Definition: ike_certificate.c:410
ikeGetCertSubjectDn
error_t ikeGetCertSubjectDn(const char_t *cert, size_t certLen, uint8_t *subjectDn, size_t *subjectDnLen)
Extract subject's DN from certificate.
Definition: ike_certificate.c:205
message
uint8_t message[]
Definition: chap.h:154
ikeGetCertificateType
error_t ikeGetCertificateType(const X509CertInfo *certInfo, IkeCertType *certType)
Retrieve the certificate type.
Definition: ike_certificate.c:56
ikeFormatCertAuthorities
error_t ikeFormatCertAuthorities(const char_t *trustedCaList, size_t trustedCaListLen, uint8_t *certAuth, size_t *certAuthLen)
Format list of acceptable certification authorities.
Definition: ike_certificate.c:287
IpsecPadEntry
Peer Authorization Database (PAD) entry.
Definition: ipsec.h:400
X509CertInfo
X.509 certificate.
Definition: x509_common.h:1071
error_t
error_t
Error codes.
Definition: error.h:43
length
uint8_t length
Definition: tcp.h:368
ike.h
IKEv2 (Internet Key Exchange Protocol)
ikeValidateCertificate
error_t ikeValidateCertificate(IkeSaEntry *sa, IpsecPadEntry *padEntry, const X509CertInfo *certInfo, uint_t pathLen)
Verify certificate against root CAs.
Definition: ike_certificate.c:654
char_t
char char_t
Definition: compiler_port.h:48
IkeSaEntry
#define IkeSaEntry
Definition: ike.h:682
ikeParseCertificateChain
error_t ikeParseCertificateChain(IkeSaEntry *sa, IpsecPadEntry *padEntry, const uint8_t *message, size_t length)
Parse certificate chain.
Definition: ike_certificate.c:445
uint_t
unsigned int uint_t
Definition: compiler_port.h:50