First public contribution.
2 * Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies).
4 * This component and the accompanying materials are made available
5 * under the terms of the License "Eclipse Public License v1.0"
6 * which accompanies this distribution, and is available
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html".
9 * Initial Contributors:
10 * Nokia Corporation - initial contribution.
15 * TPKIXConstraint and TPKIXPolicyConstraint implementations
25 #if !defined (__PKIXCONS_H__)
26 #define __PKIXCONS_H__
30 #include <x509certchain.h>
31 #include <x509certext.h>
33 #include <pkixcertchain.h>
34 #include "pkixcertstate.h"
39 TPKIXConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
40 void Remove(CArrayPtrFlat<CX509CertExtension>& aCriticalExtensions, const TDesC& aOID);
41 CPKIXValidationState& iState;
42 CPKIXValidationResultBase& iResult;
46 Certificate policies are processed in the following way:
50 user-constrained policy set: set of policies deemed acceptable to client of PKIXCert (relying party)
54 UP: user-constrained-policy set: initialised by user, or set to empty (='any-policy', since empty is not a sensible value)
55 AP: authority-constrained policy set: set of policies deemed acceptable to issuing authority, initialised to 'any-policy'
56 MP: mapped policy set: set of mapped policies, initialised to empty
57 explicit policy: integer indicating position of first certificate in path where explicit policy ID is required.
58 intialised to n+1 where n=length of chain
59 policy mapping: integer indicating position of last certificate in path where policy mapping is allowed
60 intialised to n+1 where n=length of chain
64 For each certificate in chain, where certificate is at i in the chain (root being 1, ee cert being n):
66 -if explicit policy <= i, a policy ID in cert shall be in UP
67 -if policy mapping <= i, policy may not be mapped
68 -if the cert doesn't contain a policy extension, then:
69 -if AP = any, AP is unchanged
70 -else AP is set to empty
71 -if the cert contains a policy extension then
72 -AP is set to the intersection of AP and CP
73 -any mapped policies occurring in CP are added to AP
75 -if we can do mapping, then
77 -all the 'subject' policies are added to MP
78 -for all mapped policies, if the 'issuer' policy is in UP then the 'subject' policy is added to UP
80 -for all mapped policies,
81 -if the issuer policy is in AP then
82 -the subject policy is added to MP
83 -if the issuer policy is in UP then the subject policy is added to UP
85 At the end of the chain,
86 -if UP = any then we pass
88 -if AP = any then we fail
89 -otherwise we intersect AP and UP; if the result is empty then we fail
91 It is not entirely clear that this is a faithful implementation of the algorithm described in RFC 2459
92 section 6.1, because the spec is a little ambiguous here. Additionally, this section of the spec is
93 currently undergoing revision (true as of 12 April 2000). So when it's finished being revised, the code
94 here should be revised to reflect the spec.
96 However, for the test vectors that I have at this time this appears to give sensible results.
100 class TPKIXPolicyConstraint : public TPKIXConstraint
103 TPKIXPolicyConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
104 void CheckCertPoliciesL(const CX509Certificate& aCert);
105 void UpdatePolicyConstraintsL(const CX509Certificate& aCert);
106 void FinishPolicyCheckL();
108 void IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt);
109 void UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown);
110 CArrayPtrFlat<CX509CertPolicyInfo>* IntersectionLC( const CArrayPtrFlat<CX509CertPolicyInfo>& aFirst,
111 const CArrayPtrFlat<CX509CertPolicyInfo>& aSecond);
112 TBool PolicyIsPresentL( const CArrayPtrFlat<CX509CertPolicyInfo>& aPolicies,
113 const CArrayPtr<HBufC>& aAcceptablePolicies);
114 static void CleanupPolicyInfoArray(TAny* aPolicies);
117 class TPKIXNameConstraint : public TPKIXConstraint
120 TPKIXNameConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
121 void CheckNameConstraintsL( const CX509Certificate& aCert);
122 void UpdateNameConstraintsL(const CX509Certificate& aCert);
124 TBool NameIsPresentL(const CX500DistinguishedName& aSubject,
125 const CArrayPtrFlat<CX500DistinguishedName>& aSubtrees);
126 TBool NameIsPresent(const CX509DomainName& aSubject,
127 const CArrayPtrFlat<CX509DomainName>& aSubtrees);
128 TBool NameIsPresent(const CX509IPAddress& aSubject,
129 const CArrayPtrFlat<CX509IPSubnetMask>& aSubtrees);
132 class TPKIXBasicConstraint : public TPKIXConstraint
135 TPKIXBasicConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
136 void CheckCertSubjectTypeL(const CX509Certificate& aCert);
137 void UpdatePathLengthConstraintsL(const CX509Certificate& aCert);
141 class TPKIXKeyUsageConstraint : public TPKIXConstraint
144 TPKIXKeyUsageConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
145 void CheckKeyUsageL(const CX509Certificate& aCert);