os/security/cryptoservices/certificateandkeymgmt/pkixcertbase/pkixCons.h
author sl@SLION-WIN7.fritz.box
Fri, 15 Jun 2012 03:10:57 +0200
changeset 0 bde4ae8d615e
permissions -rw-r--r--
First public contribution.
     1 /*
     2 * Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies).
     3 * All rights reserved.
     4 * This component and the accompanying materials are made available
     5 * under the terms of the License "Eclipse Public License v1.0"
     6 * which accompanies this distribution, and is available
     7 * at the URL "http://www.eclipse.org/legal/epl-v10.html".
     8 *
     9 * Initial Contributors:
    10 * Nokia Corporation - initial contribution.
    11 *
    12 * Contributors:
    13 *
    14 * Description: 
    15 * TPKIXConstraint and TPKIXPolicyConstraint implementations
    16 *
    17 */
    18 
    19 
    20 /**
    21  @file 
    22  @internalTechnology
    23 */
    24  
    25 #if !defined (__PKIXCONS_H__)
    26 #define __PKIXCONS_H__
    27 
    28 #include <e32std.h>
    29 #include <x509cert.h>
    30 #include <x509certchain.h>
    31 #include <x509certext.h>
    32 #include <x509gn.h>
    33 #include <pkixcertchain.h>
    34 #include "pkixcertstate.h"
    35 
    36 class TPKIXConstraint
    37 	{
    38 protected:
    39 	TPKIXConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
    40 	void Remove(CArrayPtrFlat<CX509CertExtension>& aCriticalExtensions, const TDesC& aOID);
    41 	CPKIXValidationState& iState;
    42 	CPKIXValidationResultBase& iResult;
    43 	};
    44 
    45 /*
    46 Certificate policies are processed in the following way:
    47 
    48 Inputs:
    49 ------
    50 user-constrained policy set: set of policies deemed acceptable to client of PKIXCert (relying party)
    51 
    52 Variables:
    53 ---------
    54 UP: user-constrained-policy set: initialised by user, or set to empty (='any-policy', since empty is not a sensible value)
    55 AP: authority-constrained policy set: set of policies deemed acceptable to issuing authority, initialised to 'any-policy'
    56 MP: mapped policy set: set of mapped policies, initialised to empty
    57 explicit policy:	integer indicating position of first certificate in path where explicit policy ID is required.
    58 					intialised to n+1 where n=length of chain
    59 policy mapping:		integer indicating position of last certificate in path where policy mapping is allowed
    60 					intialised to n+1 where n=length of chain
    61 
    62 Processing:
    63 ----------
    64 For each certificate in chain, where certificate is at i in the chain (root being 1, ee cert being n):
    65 
    66 -if explicit policy <= i, a policy ID in cert shall be in UP
    67 -if policy mapping <= i, policy may not be mapped
    68 -if the cert doesn't contain a policy extension, then:
    69 	-if AP = any, AP is unchanged
    70 	-else AP is set to empty
    71 -if the cert contains a policy extension then 
    72 	-AP is set to the intersection of AP and CP
    73 	-any mapped policies occurring in CP are added to AP
    74 
    75 -if we can do mapping, then
    76 	-if AP = any then 
    77 		-all the 'subject' policies are added to MP
    78 		-for all mapped policies, if the 'issuer' policy is in UP then the 'subject' policy is added to UP
    79 	-if AP != any then
    80 		-for all mapped policies, 
    81 			-if the issuer policy is in AP then
    82 				-the subject policy is added to MP
    83 				-if the issuer policy is in UP then the subject policy is added to UP
    84 
    85 At the end of the chain,
    86 -if UP = any then we pass
    87 -if UP != any then 
    88 	-if AP = any then we fail
    89 	-otherwise we intersect AP and UP; if the result is empty then we fail
    90 
    91 It is not entirely clear that this is a faithful implementation of the algorithm described in RFC 2459 
    92 section 6.1, because the spec is a little ambiguous here. Additionally, this section of the spec is 
    93 currently undergoing revision (true as of 12 April 2000). So when it's finished being revised, the code
    94 here should be revised to reflect the spec.
    95 
    96 However, for the test vectors that I have at this time this appears to give sensible results.
    97 
    98 */
    99 
   100 class TPKIXPolicyConstraint : public TPKIXConstraint
   101 	{
   102 public:
   103 	TPKIXPolicyConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   104 	void CheckCertPoliciesL(const CX509Certificate& aCert);
   105 	void UpdatePolicyConstraintsL(const CX509Certificate& aCert);
   106 	void FinishPolicyCheckL();
   107 private:
   108 	void IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt);
   109 	void UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown);
   110 	CArrayPtrFlat<CX509CertPolicyInfo>* IntersectionLC(	const CArrayPtrFlat<CX509CertPolicyInfo>& aFirst,
   111 														const CArrayPtrFlat<CX509CertPolicyInfo>& aSecond);
   112 	TBool PolicyIsPresentL(	const CArrayPtrFlat<CX509CertPolicyInfo>& aPolicies, 
   113 							const CArrayPtr<HBufC>& aAcceptablePolicies);
   114 	static void CleanupPolicyInfoArray(TAny* aPolicies);
   115 	};
   116 
   117 class TPKIXNameConstraint : public TPKIXConstraint
   118 	{
   119 public:
   120 	TPKIXNameConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   121 	void CheckNameConstraintsL(	const CX509Certificate& aCert);
   122 	void UpdateNameConstraintsL(const CX509Certificate& aCert);
   123 private:
   124 	TBool NameIsPresentL(const CX500DistinguishedName& aSubject,
   125 						const CArrayPtrFlat<CX500DistinguishedName>& aSubtrees);
   126 	TBool NameIsPresent(const CX509DomainName& aSubject,
   127 						const CArrayPtrFlat<CX509DomainName>& aSubtrees);
   128 	TBool NameIsPresent(const CX509IPAddress& aSubject,
   129 						const CArrayPtrFlat<CX509IPSubnetMask>& aSubtrees);
   130 	};
   131 
   132 class TPKIXBasicConstraint : public TPKIXConstraint
   133 	{
   134 public:
   135 	TPKIXBasicConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   136 	void CheckCertSubjectTypeL(const CX509Certificate& aCert);
   137 	void UpdatePathLengthConstraintsL(const CX509Certificate& aCert);
   138 private:
   139 	};
   140 
   141 class TPKIXKeyUsageConstraint : public TPKIXConstraint
   142 	{
   143 public:
   144 	TPKIXKeyUsageConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
   145 	void CheckKeyUsageL(const CX509Certificate& aCert);
   146 private:
   147 	};
   148 
   149 #endif