MercurialSymaptic / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw
| help
os/security/cryptoservices/certificateandkeymgmt/pkixcertbase/pkixCons.h
changeset 0 bde4ae8d615e
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/os/security/cryptoservices/certificateandkeymgmt/pkixcertbase/pkixCons.h	Fri Jun 15 03:10:57 2012 +0200
     1.3 @@ -0,0 +1,149 @@
     1.4 +/*
     1.5 +* Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies).
     1.6 +* All rights reserved.
     1.7 +* This component and the accompanying materials are made available
     1.8 +* under the terms of the License "Eclipse Public License v1.0"
     1.9 +* which accompanies this distribution, and is available
    1.10 +* at the URL "http://www.eclipse.org/legal/epl-v10.html".
    1.11 +*
    1.12 +* Initial Contributors:
    1.13 +* Nokia Corporation - initial contribution.
    1.14 +*
    1.15 +* Contributors:
    1.16 +*
    1.17 +* Description: 
    1.18 +* TPKIXConstraint and TPKIXPolicyConstraint implementations
    1.19 +*
    1.20 +*/
    1.21 +
    1.22 +
    1.23 +/**
    1.24 + @file 
    1.25 + @internalTechnology
    1.26 +*/
    1.27 + 
    1.28 +#if !defined (__PKIXCONS_H__)
    1.29 +#define __PKIXCONS_H__
    1.30 +
    1.31 +#include <e32std.h>
    1.32 +#include <x509cert.h>
    1.33 +#include <x509certchain.h>
    1.34 +#include <x509certext.h>
    1.35 +#include <x509gn.h>
    1.36 +#include <pkixcertchain.h>
    1.37 +#include "pkixcertstate.h"
    1.38 +
    1.39 +class TPKIXConstraint
    1.40 +	{
    1.41 +protected:
    1.42 +	TPKIXConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
    1.43 +	void Remove(CArrayPtrFlat<CX509CertExtension>& aCriticalExtensions, const TDesC& aOID);
    1.44 +	CPKIXValidationState& iState;
    1.45 +	CPKIXValidationResultBase& iResult;
    1.46 +	};
    1.47 +
    1.48 +/*
    1.49 +Certificate policies are processed in the following way:
    1.50 +
    1.51 +Inputs:
    1.52 +------
    1.53 +user-constrained policy set: set of policies deemed acceptable to client of PKIXCert (relying party)
    1.54 +
    1.55 +Variables:
    1.56 +---------
    1.57 +UP: user-constrained-policy set: initialised by user, or set to empty (='any-policy', since empty is not a sensible value)
    1.58 +AP: authority-constrained policy set: set of policies deemed acceptable to issuing authority, initialised to 'any-policy'
    1.59 +MP: mapped policy set: set of mapped policies, initialised to empty
    1.60 +explicit policy:	integer indicating position of first certificate in path where explicit policy ID is required.
    1.61 +					intialised to n+1 where n=length of chain
    1.62 +policy mapping:		integer indicating position of last certificate in path where policy mapping is allowed
    1.63 +					intialised to n+1 where n=length of chain
    1.64 +
    1.65 +Processing:
    1.66 +----------
    1.67 +For each certificate in chain, where certificate is at i in the chain (root being 1, ee cert being n):
    1.68 +
    1.69 +-if explicit policy <= i, a policy ID in cert shall be in UP
    1.70 +-if policy mapping <= i, policy may not be mapped
    1.71 +-if the cert doesn't contain a policy extension, then:
    1.72 +	-if AP = any, AP is unchanged
    1.73 +	-else AP is set to empty
    1.74 +-if the cert contains a policy extension then 
    1.75 +	-AP is set to the intersection of AP and CP
    1.76 +	-any mapped policies occurring in CP are added to AP
    1.77 +
    1.78 +-if we can do mapping, then
    1.79 +	-if AP = any then 
    1.80 +		-all the 'subject' policies are added to MP
    1.81 +		-for all mapped policies, if the 'issuer' policy is in UP then the 'subject' policy is added to UP
    1.82 +	-if AP != any then
    1.83 +		-for all mapped policies, 
    1.84 +			-if the issuer policy is in AP then
    1.85 +				-the subject policy is added to MP
    1.86 +				-if the issuer policy is in UP then the subject policy is added to UP
    1.87 +
    1.88 +At the end of the chain,
    1.89 +-if UP = any then we pass
    1.90 +-if UP != any then 
    1.91 +	-if AP = any then we fail
    1.92 +	-otherwise we intersect AP and UP; if the result is empty then we fail
    1.93 +
    1.94 +It is not entirely clear that this is a faithful implementation of the algorithm described in RFC 2459 
    1.95 +section 6.1, because the spec is a little ambiguous here. Additionally, this section of the spec is 
    1.96 +currently undergoing revision (true as of 12 April 2000). So when it's finished being revised, the code
    1.97 +here should be revised to reflect the spec.
    1.98 +
    1.99 +However, for the test vectors that I have at this time this appears to give sensible results.
   1.100 +
   1.101 +*/
   1.102 +
   1.103 +class TPKIXPolicyConstraint : public TPKIXConstraint
   1.104 +	{
   1.105 +public:
   1.106 +	TPKIXPolicyConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   1.107 +	void CheckCertPoliciesL(const CX509Certificate& aCert);
   1.108 +	void UpdatePolicyConstraintsL(const CX509Certificate& aCert);
   1.109 +	void FinishPolicyCheckL();
   1.110 +private:
   1.111 +	void IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt);
   1.112 +	void UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown);
   1.113 +	CArrayPtrFlat<CX509CertPolicyInfo>* IntersectionLC(	const CArrayPtrFlat<CX509CertPolicyInfo>& aFirst,
   1.114 +														const CArrayPtrFlat<CX509CertPolicyInfo>& aSecond);
   1.115 +	TBool PolicyIsPresentL(	const CArrayPtrFlat<CX509CertPolicyInfo>& aPolicies, 
   1.116 +							const CArrayPtr<HBufC>& aAcceptablePolicies);
   1.117 +	static void CleanupPolicyInfoArray(TAny* aPolicies);
   1.118 +	};
   1.119 +
   1.120 +class TPKIXNameConstraint : public TPKIXConstraint
   1.121 +	{
   1.122 +public:
   1.123 +	TPKIXNameConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   1.124 +	void CheckNameConstraintsL(	const CX509Certificate& aCert);
   1.125 +	void UpdateNameConstraintsL(const CX509Certificate& aCert);
   1.126 +private:
   1.127 +	TBool NameIsPresentL(const CX500DistinguishedName& aSubject,
   1.128 +						const CArrayPtrFlat<CX500DistinguishedName>& aSubtrees);
   1.129 +	TBool NameIsPresent(const CX509DomainName& aSubject,
   1.130 +						const CArrayPtrFlat<CX509DomainName>& aSubtrees);
   1.131 +	TBool NameIsPresent(const CX509IPAddress& aSubject,
   1.132 +						const CArrayPtrFlat<CX509IPSubnetMask>& aSubtrees);
   1.133 +	};
   1.134 +
   1.135 +class TPKIXBasicConstraint : public TPKIXConstraint
   1.136 +	{
   1.137 +public:
   1.138 +	TPKIXBasicConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   1.139 +	void CheckCertSubjectTypeL(const CX509Certificate& aCert);
   1.140 +	void UpdatePathLengthConstraintsL(const CX509Certificate& aCert);
   1.141 +private:
   1.142 +	};
   1.143 +
   1.144 +class TPKIXKeyUsageConstraint : public TPKIXConstraint
   1.145 +	{
   1.146 +public:
   1.147 +	TPKIXKeyUsageConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   1.148 +	void CheckKeyUsageL(const CX509Certificate& aCert);
   1.149 +private:
   1.150 +	};
   1.151 +
   1.152 +#endif
Symaptic