sl@0: /* sl@0: * Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies). sl@0: * All rights reserved. sl@0: * This component and the accompanying materials are made available sl@0: * under the terms of the License "Eclipse Public License v1.0" sl@0: * which accompanies this distribution, and is available sl@0: * at the URL "http://www.eclipse.org/legal/epl-v10.html". sl@0: * sl@0: * Initial Contributors: sl@0: * Nokia Corporation - initial contribution. sl@0: * sl@0: * Contributors: sl@0: * sl@0: * Description: sl@0: * TPKIXConstraint and TPKIXPolicyConstraint implementations sl@0: * sl@0: */ sl@0: sl@0: sl@0: /** sl@0: @file sl@0: @internalTechnology sl@0: */ sl@0: sl@0: #if !defined (__PKIXCONS_H__) sl@0: #define __PKIXCONS_H__ sl@0: sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #include "pkixcertstate.h" sl@0: sl@0: class TPKIXConstraint sl@0: { sl@0: protected: sl@0: TPKIXConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult); sl@0: void Remove(CArrayPtrFlat& aCriticalExtensions, const TDesC& aOID); sl@0: CPKIXValidationState& iState; sl@0: CPKIXValidationResultBase& iResult; sl@0: }; sl@0: sl@0: /* sl@0: Certificate policies are processed in the following way: sl@0: sl@0: Inputs: sl@0: ------ sl@0: user-constrained policy set: set of policies deemed acceptable to client of PKIXCert (relying party) sl@0: sl@0: Variables: sl@0: --------- sl@0: UP: user-constrained-policy set: initialised by user, or set to empty (='any-policy', since empty is not a sensible value) sl@0: AP: authority-constrained policy set: set of policies deemed acceptable to issuing authority, initialised to 'any-policy' sl@0: MP: mapped policy set: set of mapped policies, initialised to empty sl@0: explicit policy: integer indicating position of first certificate in path where explicit policy ID is required. sl@0: intialised to n+1 where n=length of chain sl@0: policy mapping: integer indicating position of last certificate in path where policy mapping is allowed sl@0: intialised to n+1 where n=length of chain sl@0: sl@0: Processing: sl@0: ---------- sl@0: For each certificate in chain, where certificate is at i in the chain (root being 1, ee cert being n): sl@0: sl@0: -if explicit policy <= i, a policy ID in cert shall be in UP sl@0: -if policy mapping <= i, policy may not be mapped sl@0: -if the cert doesn't contain a policy extension, then: sl@0: -if AP = any, AP is unchanged sl@0: -else AP is set to empty sl@0: -if the cert contains a policy extension then sl@0: -AP is set to the intersection of AP and CP sl@0: -any mapped policies occurring in CP are added to AP sl@0: sl@0: -if we can do mapping, then sl@0: -if AP = any then sl@0: -all the 'subject' policies are added to MP sl@0: -for all mapped policies, if the 'issuer' policy is in UP then the 'subject' policy is added to UP sl@0: -if AP != any then sl@0: -for all mapped policies, sl@0: -if the issuer policy is in AP then sl@0: -the subject policy is added to MP sl@0: -if the issuer policy is in UP then the subject policy is added to UP sl@0: sl@0: At the end of the chain, sl@0: -if UP = any then we pass sl@0: -if UP != any then sl@0: -if AP = any then we fail sl@0: -otherwise we intersect AP and UP; if the result is empty then we fail sl@0: sl@0: It is not entirely clear that this is a faithful implementation of the algorithm described in RFC 2459 sl@0: section 6.1, because the spec is a little ambiguous here. Additionally, this section of the spec is sl@0: currently undergoing revision (true as of 12 April 2000). So when it's finished being revised, the code sl@0: here should be revised to reflect the spec. sl@0: sl@0: However, for the test vectors that I have at this time this appears to give sensible results. sl@0: sl@0: */ sl@0: sl@0: class TPKIXPolicyConstraint : public TPKIXConstraint sl@0: { sl@0: public: sl@0: TPKIXPolicyConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult); sl@0: void CheckCertPoliciesL(const CX509Certificate& aCert); sl@0: void UpdatePolicyConstraintsL(const CX509Certificate& aCert); sl@0: void FinishPolicyCheckL(); sl@0: private: sl@0: void IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt); sl@0: void UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown); sl@0: CArrayPtrFlat* IntersectionLC( const CArrayPtrFlat& aFirst, sl@0: const CArrayPtrFlat& aSecond); sl@0: TBool PolicyIsPresentL( const CArrayPtrFlat& aPolicies, sl@0: const CArrayPtr& aAcceptablePolicies); sl@0: static void CleanupPolicyInfoArray(TAny* aPolicies); sl@0: }; sl@0: sl@0: class TPKIXNameConstraint : public TPKIXConstraint sl@0: { sl@0: public: sl@0: TPKIXNameConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult); sl@0: void CheckNameConstraintsL( const CX509Certificate& aCert); sl@0: void UpdateNameConstraintsL(const CX509Certificate& aCert); sl@0: private: sl@0: TBool NameIsPresentL(const CX500DistinguishedName& aSubject, sl@0: const CArrayPtrFlat& aSubtrees); sl@0: TBool NameIsPresent(const CX509DomainName& aSubject, sl@0: const CArrayPtrFlat& aSubtrees); sl@0: TBool NameIsPresent(const CX509IPAddress& aSubject, sl@0: const CArrayPtrFlat& aSubtrees); sl@0: }; sl@0: sl@0: class TPKIXBasicConstraint : public TPKIXConstraint sl@0: { sl@0: public: sl@0: TPKIXBasicConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult); sl@0: void CheckCertSubjectTypeL(const CX509Certificate& aCert); sl@0: void UpdatePathLengthConstraintsL(const CX509Certificate& aCert); sl@0: private: sl@0: }; sl@0: sl@0: class TPKIXKeyUsageConstraint : public TPKIXConstraint sl@0: { sl@0: public: sl@0: TPKIXKeyUsageConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult); sl@0: void CheckKeyUsageL(const CX509Certificate& aCert); sl@0: private: sl@0: }; sl@0: sl@0: #endif