include/rawrtc/certificate.h

#pragma once
#include <rawrtcc/code.h>
#include <re.h>

/*
 * Certificate private key types.
 */
enum rawrtc_certificate_key_type {
    // An RSA private key.
    RAWRTC_CERTIFICATE_KEY_TYPE_RSA = TLS_KEYTYPE_RSA,
    // An elliptic curve private key.
    RAWRTC_CERTIFICATE_KEY_TYPE_EC = TLS_KEYTYPE_EC,
};

/*
 * Certificate signing hash algorithms.
 */
enum rawrtc_certificate_sign_algorithm {
    // Sign algorithm not set.
    // Note: When passing this as an argument, a sensible default signing
    //       algorithm shall be used.
    RAWRTC_CERTIFICATE_SIGN_ALGORITHM_NONE = 0,
    // SHA-256 sign algorithm.
    RAWRTC_CERTIFICATE_SIGN_ALGORITHM_SHA256 = TLS_FINGERPRINT_SHA256,
    // SHA-384 sign algorithm.
    RAWRTC_CERTIFICATE_SIGN_ALGORITHM_SHA384,
    // SHA-512 sign algorithm.
    RAWRTC_CERTIFICATE_SIGN_ALGORITHM_SHA512,
};

/*
 * Certificate encoding.
 */
enum rawrtc_certificate_encode {
    // Only encode the certificate.
    RAWRTC_CERTIFICATE_ENCODE_CERTIFICATE,
    // Only encode the private key.
    RAWRTC_CERTIFICATE_ENCODE_PRIVATE_KEY,
    // Encode both the certificate and the private key.
    RAWRTC_CERTIFICATE_ENCODE_BOTH,
};

/*
 * Certificate options.
 */
struct rawrtc_certificate_options;

/*
 * Certificate.
 */
struct rawrtc_certificate;

/*
 * Certificates.
 * Note: Inherits `struct rawrtc_array_container`.
 */
struct rawrtc_certificates {
    size_t n_certificates;
    struct rawrtc_certificate* certificates[];
};

/*
 * Create certificate options.
 *
 * All arguments but `key_type` are optional. Sane and safe default
 * values will be applied, don't worry!
 *
 * `*optionsp` must be unreferenced.
 *
 * If `common_name` is `NULL` the default common name will be applied.
 * If `valid_until` is `0` the default certificate lifetime will be
 * applied.
 * If the key type is `ECC` and `named_curve` is `NULL`, the default
 * named curve will be used.
 * If the key type is `RSA` and `modulus_length` is `0`, the default
 * amount of bits will be used. The same applies to the
 * `sign_algorithm` if it has been set to `NONE`.
 */
enum rawrtc_code rawrtc_certificate_options_create(
    struct rawrtc_certificate_options** const optionsp,  // de-referenced
    enum rawrtc_certificate_key_type const key_type,
    char* common_name,  // nullable, copied
    uint_fast32_t valid_until,
    enum rawrtc_certificate_sign_algorithm sign_algorithm,
    char* named_curve,  // nullable, copied, ignored for RSA
    uint_fast32_t modulus_length  // ignored for ECC
);

/*
 * Create and generate a self-signed certificate.
 *
 * Sane and safe default options will be applied if `options` is
 * `NULL`.
 *
 * `*certificatep` must be unreferenced.
 */
enum rawrtc_code rawrtc_certificate_generate(
    struct rawrtc_certificate** const certificatep,
    struct rawrtc_certificate_options* options  // nullable
);

/*
 * TODO http://draft.ortc.org/#dom-rtccertificate
 * rawrtc_certificate_from_bytes
 * rawrtc_certificate_get_expires
 * rawrtc_certificate_get_fingerprint
 * rawrtc_certificate_get_algorithm
 */

/*
 * Translate a certificate sign algorithm to str.
 */
char const* rawrtc_certificate_sign_algorithm_to_str(
    enum rawrtc_certificate_sign_algorithm const algorithm);

/*
 * Translate a str to a certificate sign algorithm (case-insensitive).
 */
enum rawrtc_code rawrtc_str_to_certificate_sign_algorithm(
    enum rawrtc_certificate_sign_algorithm* const algorithmp,  // de-referenced
    char const* const str);