1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/security/cryptoservices/certificateandkeymgmt/pkixcertbase/pkixcons.cpp Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,630 @@
1.4 +/*
1.5 +* Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies).
1.6 +* All rights reserved.
1.7 +* This component and the accompanying materials are made available
1.8 +* under the terms of the License "Eclipse Public License v1.0"
1.9 +* which accompanies this distribution, and is available
1.10 +* at the URL "http://www.eclipse.org/legal/epl-v10.html".
1.11 +*
1.12 +* Initial Contributors:
1.13 +* Nokia Corporation - initial contribution.
1.14 +*
1.15 +* Contributors:
1.16 +*
1.17 +* Description:
1.18 +*
1.19 +*/
1.20 +
1.21 +
1.22 +#include "pkixCons.h"
1.23 +
1.24 +//PKIX constraint
1.25 +//only function is remove
1.26 +TPKIXConstraint::TPKIXConstraint( CPKIXValidationState& aState,
1.27 + CPKIXValidationResultBase& aResult)
1.28 + :iState(aState), iResult(aResult)
1.29 + {
1.30 + }
1.31 +
1.32 +void TPKIXConstraint::Remove(CArrayPtrFlat<CX509CertExtension>& aCriticalExtensions, const TDesC& aOID)
1.33 + {
1.34 + TInt count = aCriticalExtensions.Count();
1.35 + for (TInt i = 0; i < count; i++)
1.36 + {
1.37 + CX509CertExtension* ext = aCriticalExtensions.At(i);
1.38 + if (ext->Id() == aOID)
1.39 + {
1.40 + aCriticalExtensions.Delete(i);
1.41 + break;
1.42 + }
1.43 + }
1.44 + }
1.45 +
1.46 +//policy constraint
1.47 +//public functions
1.48 +TPKIXPolicyConstraint::TPKIXPolicyConstraint( CPKIXValidationState& aState,
1.49 + CPKIXValidationResultBase& aResult)
1.50 + :TPKIXConstraint(aState, aResult)
1.51 + {
1.52 + }
1.53 +
1.54 +void TPKIXPolicyConstraint::CleanupPolicyInfoArray(TAny* aPolicies)
1.55 + {
1.56 + CArrayPtrFlat<CX509CertPolicyInfo>* array = REINTERPRET_CAST(CArrayPtrFlat<CX509CertPolicyInfo>*, aPolicies);
1.57 + array->ResetAndDestroy();
1.58 + delete array;
1.59 + }
1.60 +
1.61 +void TPKIXPolicyConstraint::CheckCertPoliciesL(const CX509Certificate& aCert)
1.62 + {
1.63 + const CX509CertExtension* ext = aCert.Extension(KCertPolicies);
1.64 + CX509CertPoliciesExt* policyExt = NULL;
1.65 + if (ext)
1.66 + {
1.67 + policyExt = CX509CertPoliciesExt::NewLC(ext->Data());
1.68 + }
1.69 + if (iState.iPos > iState.iPolicyRequired)
1.70 + {
1.71 + if (!(policyExt))
1.72 + {
1.73 + iResult.SetErrorAndLeaveL(ERequiredPolicyNotFound, iState.iPos);
1.74 + }
1.75 + const CArrayPtrFlat<CX509CertPolicyInfo>& policies = policyExt->Policies();
1.76 + if ((iState.iUserPolicies->Count() == 0) || (PolicyIsPresentL(policies, *iState.iUserPolicies)))
1.77 + {
1.78 + }
1.79 + else
1.80 + {
1.81 + iResult.SetErrorAndLeaveL(ERequiredPolicyNotFound, iState.iPos);
1.82 + }
1.83 + }
1.84 + if (!policyExt)
1.85 + {
1.86 + if (!iState.iAnyAuthorityPolicy)
1.87 + {
1.88 + iState.iAuthorityConstrainedPolicies->ResetAndDestroy();//AP becomes NULL
1.89 + }
1.90 + }
1.91 + else
1.92 + {
1.93 + IntersectCertPoliciesL(*policyExt);
1.94 + if (ext->Critical())
1.95 + {
1.96 + TInt count = iState.iAuthorityConstrainedPolicies->Count();
1.97 + for (TInt i = 0; i < count; i++)
1.98 + {
1.99 + const CX509CertPolicyInfo* policy = iState.iAuthorityConstrainedPolicies->At(i);
1.100 + if (policy->Qualifiers().Count() > 0)
1.101 + {
1.102 + iResult.AppendWarningL(TValidationStatus(ECriticalCertPoliciesWithQualifiers, i));
1.103 + break;
1.104 + }
1.105 + }
1.106 + Remove(*(iState.iCriticalExts), KCertPolicies);
1.107 + }
1.108 + CleanupStack::PopAndDestroy();//policyExt
1.109 + }
1.110 + }
1.111 +
1.112 +void TPKIXPolicyConstraint::IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt)
1.113 + {
1.114 + //1 intersect AP and CP, assign result to newAP
1.115 + CArrayPtrFlat<CX509CertPolicyInfo>* newAP;
1.116 + TInt certPolicyCount = aPolicyExt.Policies().Count();
1.117 + if (iState.iAnyAuthorityPolicy)
1.118 + {
1.119 + newAP = new(ELeave) CArrayPtrFlat<CX509CertPolicyInfo> (1);
1.120 + TCleanupItem cleanupPolicies(CleanupPolicyInfoArray, newAP);
1.121 + CleanupStack::PushL(cleanupPolicies);
1.122 + for (TInt i = 0; i < certPolicyCount; i++)
1.123 + {
1.124 + CX509CertPolicyInfo* info = CX509CertPolicyInfo::NewLC(*(aPolicyExt.Policies().At(i)));
1.125 + newAP->AppendL(info);
1.126 + CleanupStack::Pop();
1.127 + }
1.128 + iState.iAnyAuthorityPolicy = EFalse;
1.129 + }
1.130 + else
1.131 + {
1.132 + newAP = IntersectionLC(aPolicyExt.Policies(), *(iState.iAuthorityConstrainedPolicies));
1.133 + }
1.134 +
1.135 + TInt mappedCount = iState.iMappedPolicies->Count();
1.136 + for (TInt i = 0; i < mappedCount; i++)
1.137 + {
1.138 + CX509PolicyMapping* mapping = iState.iMappedPolicies->At(i);
1.139 + TInt apCount = iState.iAuthorityConstrainedPolicies->Count();
1.140 + //2 for each mapping in MP, if issuer is in AP and subject is in CP, add subject to newAP
1.141 + for (TInt j = 0; j < apCount; j++)
1.142 + {
1.143 + CX509CertPolicyInfo* aCP = iState.iAuthorityConstrainedPolicies->At(j);
1.144 + if (aCP->Id() == mapping->IssuerPolicy())
1.145 + {
1.146 + for (TInt k = 0; k < certPolicyCount; k++)
1.147 + {
1.148 + CX509CertPolicyInfo* cp = aPolicyExt.Policies().At(k);
1.149 + if (mapping->SubjectPolicy() == cp->Id())
1.150 + {
1.151 + CX509CertPolicyInfo* newPolicy = CX509CertPolicyInfo::NewLC(*cp);
1.152 + newAP->AppendL(newPolicy);
1.153 + CleanupStack::Pop();
1.154 + }
1.155 + }
1.156 + }
1.157 + }
1.158 + }
1.159 + //new acceptable policies = intersection
1.160 + iState.iAuthorityConstrainedPolicies->ResetAndDestroy();
1.161 + delete iState.iAuthorityConstrainedPolicies;
1.162 + iState.iAuthorityConstrainedPolicies = newAP;
1.163 + CleanupStack::Pop();//newAP
1.164 + }
1.165 +
1.166 +void TPKIXPolicyConstraint::UpdatePolicyConstraintsL(const CX509Certificate& aCert)
1.167 + {
1.168 + //get mapping ext
1.169 + const CX509CertExtension* ext = aCert.Extension(KPolicyMapping);
1.170 + if ((iState.iPos <= iState.iPolicyMapping) && (ext))
1.171 + {
1.172 + CX509PolicyMappingExt* policyMappingExt = CX509PolicyMappingExt::NewLC(ext->Data());
1.173 + const CArrayPtrFlat<CX509PolicyMapping>& mappings = policyMappingExt->Mappings();
1.174 + //for each policy mapping
1.175 + TInt countM = mappings.Count();
1.176 + for (TInt i = 0; i < countM; i++)
1.177 + {
1.178 + CX509PolicyMapping* mapping = mappings.At(i);
1.179 + CX509PolicyMapping* newMapping = CX509PolicyMapping::NewLC(*mapping);
1.180 + iState.iMappedPolicies->AppendL(newMapping);
1.181 + CleanupStack::Pop();
1.182 + TInt uCount = iState.iUserPolicies->Count();
1.183 + for (TInt j = 0; j < uCount; j++)
1.184 + {
1.185 + HBufC* userPolicy = iState.iUserPolicies->At(j);
1.186 + if (newMapping->IssuerPolicy() == *userPolicy)
1.187 + {
1.188 + HBufC* newUP = newMapping->SubjectPolicy().AllocL();
1.189 + CleanupStack::PushL(newUP);
1.190 + iState.iUserPolicies->AppendL(newUP);
1.191 + CleanupStack::Pop();
1.192 + break;
1.193 + }
1.194 + }
1.195 + }
1.196 + CleanupStack::PopAndDestroy();//mapping ext
1.197 + }
1.198 + iState.iPolicyMapping --;
1.199 + iState.iPolicyRequired --;
1.200 + //get constraints
1.201 + ext = aCert.Extension(KPolicyConstraints);
1.202 + if ( ext )
1.203 + {
1.204 + CX509PolicyConstraintsExt* policyConstraintsExt = CX509PolicyConstraintsExt::NewLC(ext->Data());
1.205 + UpdateConstraint(policyConstraintsExt->InhibitPolicyMapping(), iState.iPolicyMapping);
1.206 + UpdateConstraint(policyConstraintsExt->ExplicitPolicyRequired(), iState.iPolicyRequired);
1.207 + CleanupStack::PopAndDestroy();//constraint ext
1.208 + //remove it from the 'critical list'
1.209 + if (ext->Critical())
1.210 + {
1.211 + Remove(*(iState.iCriticalExts), KPolicyConstraints);
1.212 + }
1.213 + }
1.214 + }
1.215 +
1.216 +//private functions
1.217 +TBool TPKIXPolicyConstraint::PolicyIsPresentL( const CArrayPtrFlat<CX509CertPolicyInfo>& aPolicies,
1.218 + const CArrayPtr<HBufC>& aAcceptablePolicies)
1.219 + {
1.220 + TInt certCount = aPolicies.Count();
1.221 + TInt chainCount = aAcceptablePolicies.Count();
1.222 + for (TInt i = 0; i < certCount; i++)
1.223 + {
1.224 + CX509CertPolicyInfo* certPolicy = aPolicies.At(i);
1.225 + for (TInt j = 0; j < chainCount; j++)
1.226 + {
1.227 + HBufC* chainPolicy = aAcceptablePolicies.At(j);
1.228 + if (certPolicy->Id() == chainPolicy->Des())
1.229 + {
1.230 + return ETrue;
1.231 + }
1.232 + }
1.233 + }
1.234 + return EFalse;
1.235 + }
1.236 +
1.237 +void TPKIXPolicyConstraint::UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown)
1.238 + {
1.239 + if (aConstraint.iRequired)
1.240 + {
1.241 + if (aConstraint.iCountdown < aCountdown)
1.242 + aCountdown = aConstraint.iCountdown;
1.243 + }
1.244 + }
1.245 +
1.246 +void TPKIXPolicyConstraint::FinishPolicyCheckL()
1.247 + {
1.248 + if (iState.iUserConstrainedPolicies)
1.249 + {
1.250 + TBool passed = EFalse;
1.251 + if (!(iState.iAnyAuthorityPolicy))
1.252 + {//policy from user policies must be in authority policy set
1.253 + if ((PolicyIsPresentL(*(iState.iAuthorityConstrainedPolicies), *(iState.iUserPolicies))))
1.254 + {
1.255 + passed = ETrue;
1.256 + }
1.257 + }
1.258 + if (!passed)
1.259 + {
1.260 + iResult.SetErrorAndLeaveL(ERequiredPolicyNotFound, iState.iPos);
1.261 + }
1.262 + }
1.263 + }
1.264 +
1.265 +CArrayPtrFlat<CX509CertPolicyInfo>* TPKIXPolicyConstraint::IntersectionLC(
1.266 + const CArrayPtrFlat<CX509CertPolicyInfo>& aFirst,
1.267 + const CArrayPtrFlat<CX509CertPolicyInfo>& aSecond)
1.268 + //constructs an array of certificate policy objects,
1.269 + //populating it with policies that occur in both of the array parameters
1.270 + {
1.271 + CArrayPtrFlat<CX509CertPolicyInfo>* inter = new(ELeave) CArrayPtrFlat<CX509CertPolicyInfo> (1);
1.272 + TCleanupItem cleanupPolicies(CleanupPolicyInfoArray, inter);
1.273 + CleanupStack::PushL(cleanupPolicies);
1.274 + TInt count1 = aFirst.Count();
1.275 + TInt count2 = aSecond.Count();
1.276 + for (TInt i = 0; i < count1; i++)
1.277 + {
1.278 + CX509CertPolicyInfo* policy1 = aFirst.At(i);
1.279 + for (TInt j = 0; j < count2; j++)
1.280 + {
1.281 + CX509CertPolicyInfo* policy2 = aSecond.At(j);
1.282 + if (policy1->Id() == policy2->Id())
1.283 + {
1.284 + CX509CertPolicyInfo* info = CX509CertPolicyInfo::NewLC(*policy1);
1.285 + inter->AppendL(info);
1.286 + CleanupStack::Pop();
1.287 + }
1.288 + }
1.289 + }
1.290 + return inter;
1.291 + }
1.292 +
1.293 +//name constraint
1.294 +//public functions
1.295 +TPKIXNameConstraint::TPKIXNameConstraint( CPKIXValidationState& aState,
1.296 + CPKIXValidationResultBase& aResult)
1.297 + :TPKIXConstraint(aState, aResult)
1.298 + {
1.299 + }
1.300 +
1.301 +void TPKIXNameConstraint::CheckNameConstraintsL(const CX509Certificate& aCert)
1.302 + {
1.303 + //*do the subject name
1.304 + if (NameIsPresentL(aCert.SubjectName(), *(iState.iExcludedDNSubtrees)))
1.305 + {
1.306 + iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos);
1.307 + }
1.308 + TInt pCount = iState.iPermittedDNSubtrees->Count();
1.309 + if ((pCount > 0) && (!(NameIsPresentL(aCert.SubjectName(), *(iState.iPermittedDNSubtrees)))))
1.310 + {
1.311 + iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos);
1.312 + }
1.313 + //*do the alt name
1.314 + const CX509CertExtension* ext = aCert.Extension(KSubjectAltName);
1.315 + if (ext)
1.316 + {
1.317 + CX509AltNameExt* altNameExt = CX509AltNameExt::NewLC(ext->Data());
1.318 + const CArrayPtrFlat<CX509GeneralName>& altName = altNameExt->AltName();
1.319 + TInt count = altName.Count();
1.320 + for (TInt i = 0; i < count; i++)
1.321 + {
1.322 + const CX509GeneralName* gN = altName.At(i);
1.323 + switch (gN->Tag())
1.324 + {
1.325 + case EX509DirectoryName://X500DN
1.326 + {
1.327 + const CX500DistinguishedName* dN = CX500DistinguishedName::NewLC(gN->Data());
1.328 + if (NameIsPresentL(*dN, *(iState.iExcludedDNSubtrees)))
1.329 + {
1.330 + iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos);
1.331 + }
1.332 + if ((pCount > 0) && (!(NameIsPresentL(*dN, *(iState.iPermittedDNSubtrees)))))
1.333 + {
1.334 + iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos);
1.335 + }
1.336 + CleanupStack::PopAndDestroy();
1.337 + }
1.338 + break;
1.339 + case EX509RFC822Name://IA5String
1.340 + {
1.341 + const CX509RFC822Name* name = CX509RFC822Name::NewLC(gN->Data());
1.342 + if (NameIsPresent(*name, *(iState.iExcludedRFC822Subtrees)))
1.343 + {
1.344 + iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos);
1.345 + }
1.346 + if ((iState.iPermittedRFC822Subtrees->Count() > 0) && (!(NameIsPresent(*name, *(iState.iPermittedRFC822Subtrees)))))
1.347 + {
1.348 + iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos);
1.349 + }
1.350 + CleanupStack::PopAndDestroy();
1.351 + }
1.352 + break;
1.353 + case EX509URI://IA5String
1.354 + {
1.355 + const CX509IPBasedURI* name = CX509IPBasedURI::NewLC(gN->Data());
1.356 + const CX509DNSName& domain = name->Host();
1.357 + if (NameIsPresent(domain, *(iState.iExcludedDNSNameSubtrees)))
1.358 + {
1.359 + iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos);
1.360 + }
1.361 + if ((iState.iPermittedDNSNameSubtrees->Count() > 0) && (!(NameIsPresent(domain, *(iState.iPermittedDNSNameSubtrees)))))
1.362 + {
1.363 + iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos);
1.364 + }
1.365 + CleanupStack::PopAndDestroy();
1.366 + }
1.367 + break;
1.368 + case EX509DNSName://IA5String
1.369 + {
1.370 + const CX509DNSName* name = CX509DNSName::NewLC(gN->Data());
1.371 + if (NameIsPresent(*name, *(iState.iExcludedDNSNameSubtrees)))
1.372 + {
1.373 + iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos);
1.374 + }
1.375 + if ((iState.iPermittedDNSNameSubtrees->Count() > 0) && (!(NameIsPresent(*name, *(iState.iPermittedDNSNameSubtrees)))))
1.376 + {
1.377 + iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos);
1.378 + }
1.379 + CleanupStack::PopAndDestroy();
1.380 + }
1.381 + break;
1.382 + case EX509IPAddress://octet string
1.383 + {
1.384 + const CX509IPAddress* name = CX509IPAddress::NewLC(gN->Data());
1.385 + if (NameIsPresent(*name, *(iState.iExcludedIPAddressSubtrees)))
1.386 + {
1.387 + iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos);
1.388 + }
1.389 + if ((iState.iPermittedIPAddressSubtrees->Count() > 0) && (!(NameIsPresent(*name, *(iState.iPermittedIPAddressSubtrees)))))
1.390 + {
1.391 + iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos);
1.392 + }
1.393 + CleanupStack::PopAndDestroy();
1.394 + }
1.395 + break;
1.396 + }
1.397 + }//end of for loop
1.398 + //we've handled this now, so can remove it from the critical list
1.399 + Remove(*(iState.iCriticalExts), KSubjectAltName);
1.400 + CleanupStack::PopAndDestroy();//altNameExt
1.401 + }//end of if(ext)
1.402 + }
1.403 +
1.404 +void TPKIXNameConstraint::UpdateNameConstraintsL(const CX509Certificate& aCert)
1.405 + {
1.406 + const CX509CertExtension* ext = aCert.Extension(KNameConstraints);
1.407 + if (ext)
1.408 + {
1.409 + CX509NameConstraintsExt* nameCons = CX509NameConstraintsExt::NewLC(ext->Data());
1.410 + const CArrayPtrFlat<CX509GeneralSubtree>& excSubtrees = nameCons->ExcludedSubtrees();
1.411 + TInt count = excSubtrees.Count();
1.412 + for (TInt i = 0; i < count; i++)
1.413 + {
1.414 + const CX509GeneralSubtree* subtree = excSubtrees.At(i);
1.415 + const CX509GeneralName& gN = subtree->Name();
1.416 + switch (gN.Tag())
1.417 + {
1.418 + case EX509DirectoryName://X500DN
1.419 + {
1.420 + CX500DistinguishedName* name = CX500DistinguishedName::NewLC(gN.Data());
1.421 + iState.iExcludedDNSubtrees->AppendL(name);
1.422 + CleanupStack::Pop();
1.423 + }
1.424 + break;
1.425 + case EX509RFC822Name://IA5String
1.426 + {
1.427 + CX509RFC822Name* name = CX509RFC822Name::NewLC(gN.Data());
1.428 + iState.iExcludedRFC822Subtrees->AppendL(name);
1.429 + CleanupStack::Pop();
1.430 + }
1.431 + break;
1.432 + case EX509URI://IA5String
1.433 + {
1.434 + CX509IPBasedURI* name = CX509IPBasedURI::NewLC(gN.Data());
1.435 + CX509DNSName* domain = CX509DNSName::NewLC(name->Host());
1.436 + iState.iExcludedDNSNameSubtrees->AppendL(domain);
1.437 + CleanupStack::Pop();
1.438 + CleanupStack::PopAndDestroy();
1.439 + }
1.440 + break;
1.441 + case EX509DNSName://IA5String
1.442 + {
1.443 + CX509DNSName* name = CX509DNSName::NewLC(gN.Data());
1.444 + iState.iExcludedDNSNameSubtrees->AppendL(name);
1.445 + CleanupStack::Pop();
1.446 + }
1.447 + break;
1.448 + case EX509IPAddress://octet string
1.449 + {
1.450 + CX509IPSubnetMask* name = CX509IPSubnetMask::NewLC(gN.Data());
1.451 + iState.iExcludedIPAddressSubtrees->AppendL(name);
1.452 + CleanupStack::Pop();
1.453 + }
1.454 + break;
1.455 + default:
1.456 + {
1.457 + User::Leave(KErrNotSupported);
1.458 + }
1.459 + break;
1.460 + }
1.461 + }//end of for loop
1.462 + const CArrayPtrFlat<CX509GeneralSubtree>& perSubtrees = nameCons->PermittedSubtrees();
1.463 + count = perSubtrees.Count();
1.464 + for (TInt j = 0; j < count; j++)
1.465 + {
1.466 + const CX509GeneralSubtree* subtree = perSubtrees.At(j);
1.467 + const CX509GeneralName& gN = subtree->Name();
1.468 + switch (gN.Tag())
1.469 + {
1.470 + case EX509DirectoryName://X500DN
1.471 + {
1.472 + CX500DistinguishedName* name = CX500DistinguishedName::NewLC(gN.Data());
1.473 + iState.iPermittedDNSubtrees->AppendL(name);
1.474 + CleanupStack::Pop();
1.475 + }
1.476 + break;
1.477 + case EX509RFC822Name://IA5String
1.478 + {
1.479 + CX509RFC822Name* name = CX509RFC822Name::NewLC(gN.Data());
1.480 + iState.iPermittedRFC822Subtrees->AppendL(name);
1.481 + CleanupStack::Pop();
1.482 + }
1.483 + break;
1.484 + case EX509URI://IA5String
1.485 + {
1.486 + CX509IPBasedURI* name = CX509IPBasedURI::NewLC(gN.Data());
1.487 + CX509DNSName* domain = CX509DNSName::NewLC(name->Host());
1.488 + iState.iPermittedDNSNameSubtrees->AppendL(domain);
1.489 + CleanupStack::Pop();
1.490 + CleanupStack::PopAndDestroy();
1.491 + }
1.492 + break;
1.493 + case EX509DNSName://IA5String
1.494 + {
1.495 + CX509DNSName* name = CX509DNSName::NewLC(gN.Data());
1.496 + iState.iPermittedDNSNameSubtrees->AppendL(name);
1.497 + CleanupStack::Pop();
1.498 + }
1.499 + break;
1.500 + case EX509IPAddress://octet string
1.501 + {
1.502 + CX509IPSubnetMask* name = CX509IPSubnetMask::NewLC(gN.Data());
1.503 + iState.iPermittedIPAddressSubtrees->AppendL(name);
1.504 + CleanupStack::Pop();
1.505 + }
1.506 + break;
1.507 + default:
1.508 + {
1.509 + User::Leave(KErrNotSupported);
1.510 + }
1.511 + break;
1.512 + }
1.513 + }//end of for loop
1.514 + CleanupStack::PopAndDestroy();//nameConsExt
1.515 + //we've handled this now, so can remove it from the critical list
1.516 + Remove(*(iState.iCriticalExts), KNameConstraints);
1.517 + }//end of if(ext)
1.518 + }
1.519 +
1.520 +
1.521 +//private functions
1.522 +TBool TPKIXNameConstraint::NameIsPresentL( const CX500DistinguishedName& aSubject,
1.523 + const CArrayPtrFlat<CX500DistinguishedName>& aSubtrees)
1.524 + {
1.525 + TInt count = aSubtrees.Count();
1.526 + for (TInt i = 0; i < count; i++)
1.527 + {
1.528 + const CX500DistinguishedName* excluded = aSubtrees.At(i);
1.529 + if (aSubject.IsWithinSubtreeL(*excluded))
1.530 + {
1.531 + return ETrue;
1.532 + }
1.533 + }
1.534 + return EFalse;
1.535 + }
1.536 +
1.537 +TBool TPKIXNameConstraint::NameIsPresent( const CX509DomainName& aSubject,
1.538 + const CArrayPtrFlat<CX509DomainName>& aSubtrees)
1.539 + {
1.540 + TInt count = aSubtrees.Count();
1.541 + for (TInt i = 0; i < count; i++)
1.542 + {
1.543 + const CX509DomainName* excluded = aSubtrees.At(i);
1.544 + if (aSubject.IsWithinSubtree(*excluded))
1.545 + {
1.546 + return ETrue;
1.547 + }
1.548 + }
1.549 + return EFalse;
1.550 + }
1.551 +
1.552 +TBool TPKIXNameConstraint::NameIsPresent( const CX509IPAddress& aSubject,
1.553 + const CArrayPtrFlat<CX509IPSubnetMask>& aSubtrees)
1.554 + {
1.555 + TInt count = aSubtrees.Count();
1.556 + for (TInt i = 0; i < count; i++)
1.557 + {
1.558 + const CX509IPSubnetMask* excluded = aSubtrees.At(i);
1.559 + if (aSubject.IsWithinSubtree(*excluded))
1.560 + {
1.561 + return ETrue;
1.562 + }
1.563 + }
1.564 + return EFalse;
1.565 + }
1.566 +
1.567 +//basic constraint
1.568 +TPKIXBasicConstraint::TPKIXBasicConstraint( CPKIXValidationState& aState,
1.569 + CPKIXValidationResultBase& aResult)
1.570 + :TPKIXConstraint(aState, aResult)
1.571 + {
1.572 + }
1.573 +
1.574 +void TPKIXBasicConstraint::CheckCertSubjectTypeL(const CX509Certificate& aCert)
1.575 + {
1.576 + TBool markedAsCA = EFalse;
1.577 + TBool actsAsCA = iState.iPos > 0;
1.578 + const CX509CertExtension* ext = aCert.Extension(KBasicConstraints);
1.579 + if (ext)
1.580 + {
1.581 + CX509BasicConstraintsExt* basic = CX509BasicConstraintsExt::NewLC(ext->Data());
1.582 + markedAsCA = basic->IsCA();
1.583 + CleanupStack::PopAndDestroy();
1.584 + }
1.585 + if (actsAsCA && (!markedAsCA))
1.586 + {
1.587 + iResult.SetErrorAndLeaveL(ENotCACert, iState.iPos);
1.588 + }
1.589 + }
1.590 +
1.591 +void TPKIXBasicConstraint::UpdatePathLengthConstraintsL(const CX509Certificate& aCert)
1.592 + {
1.593 + const CX509CertExtension* ext = aCert.Extension(KBasicConstraints);
1.594 + if (ext)
1.595 + {
1.596 + CX509BasicConstraintsExt* basic = CX509BasicConstraintsExt::NewLC(ext->Data());
1.597 + TInt pathLength = basic->MaxChainLength();
1.598 + if (pathLength < 0)
1.599 + {
1.600 + iResult.SetErrorAndLeaveL(ENegativePathLengthSpecified, iState.iPos);
1.601 + }
1.602 + if (iState.iPos > pathLength)
1.603 + {
1.604 + iState.iMaxPathLength = pathLength + 1;
1.605 + }
1.606 + Remove(*(iState.iCriticalExts), KBasicConstraints);
1.607 + CleanupStack::PopAndDestroy();//basic
1.608 + }
1.609 + }
1.610 +
1.611 +//key usage constraint
1.612 +TPKIXKeyUsageConstraint::TPKIXKeyUsageConstraint( CPKIXValidationState& aState,
1.613 + CPKIXValidationResultBase& aResult)
1.614 + :TPKIXConstraint(aState, aResult)
1.615 + {
1.616 + }
1.617 +
1.618 +void TPKIXKeyUsageConstraint::CheckKeyUsageL(const CX509Certificate& aCert)
1.619 + {
1.620 + //if key usage is critical and this is a CA cert, the keyCertSign bit must be set
1.621 + const CX509CertExtension* ext = aCert.Extension(KKeyUsage);
1.622 + if (ext)
1.623 + {
1.624 + CX509KeyUsageExt* keyUsage = CX509KeyUsageExt::NewLC(ext->Data());
1.625 + if ( (iState.iPos > 0) && (!(keyUsage->IsSet(EX509KeyCertSign))))
1.626 + {
1.627 + iResult.SetErrorAndLeaveL(EBadKeyUsage, iState.iPos);
1.628 + }
1.629 + CleanupStack::PopAndDestroy();
1.630 + //we've processed this critical ext, so remove it
1.631 + Remove(*(iState.iCriticalExts), KKeyUsage);
1.632 + }
1.633 + }