os/security/cryptoservices/certificateandkeymgmt/pkixcertbase/pkixCons.h
author sl@SLION-WIN7.fritz.box
Fri, 15 Jun 2012 03:10:57 +0200
changeset 0 bde4ae8d615e
permissions -rw-r--r--
First public contribution.
sl@0
     1
/*
sl@0
     2
* Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies).
sl@0
     3
* All rights reserved.
sl@0
     4
* This component and the accompanying materials are made available
sl@0
     5
* under the terms of the License "Eclipse Public License v1.0"
sl@0
     6
* which accompanies this distribution, and is available
sl@0
     7
* at the URL "http://www.eclipse.org/legal/epl-v10.html".
sl@0
     8
*
sl@0
     9
* Initial Contributors:
sl@0
    10
* Nokia Corporation - initial contribution.
sl@0
    11
*
sl@0
    12
* Contributors:
sl@0
    13
*
sl@0
    14
* Description: 
sl@0
    15
* TPKIXConstraint and TPKIXPolicyConstraint implementations
sl@0
    16
*
sl@0
    17
*/
sl@0
    18
sl@0
    19
sl@0
    20
/**
sl@0
    21
 @file 
sl@0
    22
 @internalTechnology
sl@0
    23
*/
sl@0
    24
 
sl@0
    25
#if !defined (__PKIXCONS_H__)
sl@0
    26
#define __PKIXCONS_H__
sl@0
    27
sl@0
    28
#include <e32std.h>
sl@0
    29
#include <x509cert.h>
sl@0
    30
#include <x509certchain.h>
sl@0
    31
#include <x509certext.h>
sl@0
    32
#include <x509gn.h>
sl@0
    33
#include <pkixcertchain.h>
sl@0
    34
#include "pkixcertstate.h"
sl@0
    35
sl@0
    36
class TPKIXConstraint
sl@0
    37
	{
sl@0
    38
protected:
sl@0
    39
	TPKIXConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
sl@0
    40
	void Remove(CArrayPtrFlat<CX509CertExtension>& aCriticalExtensions, const TDesC& aOID);
sl@0
    41
	CPKIXValidationState& iState;
sl@0
    42
	CPKIXValidationResultBase& iResult;
sl@0
    43
	};
sl@0
    44
sl@0
    45
/*
sl@0
    46
Certificate policies are processed in the following way:
sl@0
    47
sl@0
    48
Inputs:
sl@0
    49
------
sl@0
    50
user-constrained policy set: set of policies deemed acceptable to client of PKIXCert (relying party)
sl@0
    51
sl@0
    52
Variables:
sl@0
    53
---------
sl@0
    54
UP: user-constrained-policy set: initialised by user, or set to empty (='any-policy', since empty is not a sensible value)
sl@0
    55
AP: authority-constrained policy set: set of policies deemed acceptable to issuing authority, initialised to 'any-policy'
sl@0
    56
MP: mapped policy set: set of mapped policies, initialised to empty
sl@0
    57
explicit policy:	integer indicating position of first certificate in path where explicit policy ID is required.
sl@0
    58
					intialised to n+1 where n=length of chain
sl@0
    59
policy mapping:		integer indicating position of last certificate in path where policy mapping is allowed
sl@0
    60
					intialised to n+1 where n=length of chain
sl@0
    61
sl@0
    62
Processing:
sl@0
    63
----------
sl@0
    64
For each certificate in chain, where certificate is at i in the chain (root being 1, ee cert being n):
sl@0
    65
sl@0
    66
-if explicit policy <= i, a policy ID in cert shall be in UP
sl@0
    67
-if policy mapping <= i, policy may not be mapped
sl@0
    68
-if the cert doesn't contain a policy extension, then:
sl@0
    69
	-if AP = any, AP is unchanged
sl@0
    70
	-else AP is set to empty
sl@0
    71
-if the cert contains a policy extension then 
sl@0
    72
	-AP is set to the intersection of AP and CP
sl@0
    73
	-any mapped policies occurring in CP are added to AP
sl@0
    74
sl@0
    75
-if we can do mapping, then
sl@0
    76
	-if AP = any then 
sl@0
    77
		-all the 'subject' policies are added to MP
sl@0
    78
		-for all mapped policies, if the 'issuer' policy is in UP then the 'subject' policy is added to UP
sl@0
    79
	-if AP != any then
sl@0
    80
		-for all mapped policies, 
sl@0
    81
			-if the issuer policy is in AP then
sl@0
    82
				-the subject policy is added to MP
sl@0
    83
				-if the issuer policy is in UP then the subject policy is added to UP
sl@0
    84
sl@0
    85
At the end of the chain,
sl@0
    86
-if UP = any then we pass
sl@0
    87
-if UP != any then 
sl@0
    88
	-if AP = any then we fail
sl@0
    89
	-otherwise we intersect AP and UP; if the result is empty then we fail
sl@0
    90
sl@0
    91
It is not entirely clear that this is a faithful implementation of the algorithm described in RFC 2459 
sl@0
    92
section 6.1, because the spec is a little ambiguous here. Additionally, this section of the spec is 
sl@0
    93
currently undergoing revision (true as of 12 April 2000). So when it's finished being revised, the code
sl@0
    94
here should be revised to reflect the spec.
sl@0
    95
sl@0
    96
However, for the test vectors that I have at this time this appears to give sensible results.
sl@0
    97
sl@0
    98
*/
sl@0
    99
sl@0
   100
class TPKIXPolicyConstraint : public TPKIXConstraint
sl@0
   101
	{
sl@0
   102
public:
sl@0
   103
	TPKIXPolicyConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
sl@0
   104
	void CheckCertPoliciesL(const CX509Certificate& aCert);
sl@0
   105
	void UpdatePolicyConstraintsL(const CX509Certificate& aCert);
sl@0
   106
	void FinishPolicyCheckL();
sl@0
   107
private:
sl@0
   108
	void IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt);
sl@0
   109
	void UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown);
sl@0
   110
	CArrayPtrFlat<CX509CertPolicyInfo>* IntersectionLC(	const CArrayPtrFlat<CX509CertPolicyInfo>& aFirst,
sl@0
   111
														const CArrayPtrFlat<CX509CertPolicyInfo>& aSecond);
sl@0
   112
	TBool PolicyIsPresentL(	const CArrayPtrFlat<CX509CertPolicyInfo>& aPolicies, 
sl@0
   113
							const CArrayPtr<HBufC>& aAcceptablePolicies);
sl@0
   114
	static void CleanupPolicyInfoArray(TAny* aPolicies);
sl@0
   115
	};
sl@0
   116
sl@0
   117
class TPKIXNameConstraint : public TPKIXConstraint
sl@0
   118
	{
sl@0
   119
public:
sl@0
   120
	TPKIXNameConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
sl@0
   121
	void CheckNameConstraintsL(	const CX509Certificate& aCert);
sl@0
   122
	void UpdateNameConstraintsL(const CX509Certificate& aCert);
sl@0
   123
private:
sl@0
   124
	TBool NameIsPresentL(const CX500DistinguishedName& aSubject,
sl@0
   125
						const CArrayPtrFlat<CX500DistinguishedName>& aSubtrees);
sl@0
   126
	TBool NameIsPresent(const CX509DomainName& aSubject,
sl@0
   127
						const CArrayPtrFlat<CX509DomainName>& aSubtrees);
sl@0
   128
	TBool NameIsPresent(const CX509IPAddress& aSubject,
sl@0
   129
						const CArrayPtrFlat<CX509IPSubnetMask>& aSubtrees);
sl@0
   130
	};
sl@0
   131
sl@0
   132
class TPKIXBasicConstraint : public TPKIXConstraint
sl@0
   133
	{
sl@0
   134
public:
sl@0
   135
	TPKIXBasicConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
sl@0
   136
	void CheckCertSubjectTypeL(const CX509Certificate& aCert);
sl@0
   137
	void UpdatePathLengthConstraintsL(const CX509Certificate& aCert);
sl@0
   138
private:
sl@0
   139
	};
sl@0
   140
sl@0
   141
class TPKIXKeyUsageConstraint : public TPKIXConstraint
sl@0
   142
	{
sl@0
   143
public:
sl@0
   144
	TPKIXKeyUsageConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
sl@0
   145
	void CheckKeyUsageL(const CX509Certificate& aCert);
sl@0
   146
private:
sl@0
   147
	};
sl@0
   148
sl@0
   149
#endif