sl@0: /* sl@0: * Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies). sl@0: * All rights reserved. sl@0: * This component and the accompanying materials are made available sl@0: * under the terms of the License "Eclipse Public License v1.0" sl@0: * which accompanies this distribution, and is available sl@0: * at the URL "http://www.eclipse.org/legal/epl-v10.html". sl@0: * sl@0: * Initial Contributors: sl@0: * Nokia Corporation - initial contribution. sl@0: * sl@0: * Contributors: sl@0: * sl@0: * Description: sl@0: * sl@0: */ sl@0: sl@0: sl@0: #include "pkixCons.h" sl@0: sl@0: //PKIX constraint sl@0: //only function is remove sl@0: TPKIXConstraint::TPKIXConstraint( CPKIXValidationState& aState, sl@0: CPKIXValidationResultBase& aResult) sl@0: :iState(aState), iResult(aResult) sl@0: { sl@0: } sl@0: sl@0: void TPKIXConstraint::Remove(CArrayPtrFlat& aCriticalExtensions, const TDesC& aOID) sl@0: { sl@0: TInt count = aCriticalExtensions.Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: CX509CertExtension* ext = aCriticalExtensions.At(i); sl@0: if (ext->Id() == aOID) sl@0: { sl@0: aCriticalExtensions.Delete(i); sl@0: break; sl@0: } sl@0: } sl@0: } sl@0: sl@0: //policy constraint sl@0: //public functions sl@0: TPKIXPolicyConstraint::TPKIXPolicyConstraint( CPKIXValidationState& aState, sl@0: CPKIXValidationResultBase& aResult) sl@0: :TPKIXConstraint(aState, aResult) sl@0: { sl@0: } sl@0: sl@0: void TPKIXPolicyConstraint::CleanupPolicyInfoArray(TAny* aPolicies) sl@0: { sl@0: CArrayPtrFlat* array = REINTERPRET_CAST(CArrayPtrFlat*, aPolicies); sl@0: array->ResetAndDestroy(); sl@0: delete array; sl@0: } sl@0: sl@0: void TPKIXPolicyConstraint::CheckCertPoliciesL(const CX509Certificate& aCert) sl@0: { sl@0: const CX509CertExtension* ext = aCert.Extension(KCertPolicies); sl@0: CX509CertPoliciesExt* policyExt = NULL; sl@0: if (ext) sl@0: { sl@0: policyExt = CX509CertPoliciesExt::NewLC(ext->Data()); sl@0: } sl@0: if (iState.iPos > iState.iPolicyRequired) sl@0: { sl@0: if (!(policyExt)) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ERequiredPolicyNotFound, iState.iPos); sl@0: } sl@0: const CArrayPtrFlat& policies = policyExt->Policies(); sl@0: if ((iState.iUserPolicies->Count() == 0) || (PolicyIsPresentL(policies, *iState.iUserPolicies))) sl@0: { sl@0: } sl@0: else sl@0: { sl@0: iResult.SetErrorAndLeaveL(ERequiredPolicyNotFound, iState.iPos); sl@0: } sl@0: } sl@0: if (!policyExt) sl@0: { sl@0: if (!iState.iAnyAuthorityPolicy) sl@0: { sl@0: iState.iAuthorityConstrainedPolicies->ResetAndDestroy();//AP becomes NULL sl@0: } sl@0: } sl@0: else sl@0: { sl@0: IntersectCertPoliciesL(*policyExt); sl@0: if (ext->Critical()) sl@0: { sl@0: TInt count = iState.iAuthorityConstrainedPolicies->Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: const CX509CertPolicyInfo* policy = iState.iAuthorityConstrainedPolicies->At(i); sl@0: if (policy->Qualifiers().Count() > 0) sl@0: { sl@0: iResult.AppendWarningL(TValidationStatus(ECriticalCertPoliciesWithQualifiers, i)); sl@0: break; sl@0: } sl@0: } sl@0: Remove(*(iState.iCriticalExts), KCertPolicies); sl@0: } sl@0: CleanupStack::PopAndDestroy();//policyExt sl@0: } sl@0: } sl@0: sl@0: void TPKIXPolicyConstraint::IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt) sl@0: { sl@0: //1 intersect AP and CP, assign result to newAP sl@0: CArrayPtrFlat* newAP; sl@0: TInt certPolicyCount = aPolicyExt.Policies().Count(); sl@0: if (iState.iAnyAuthorityPolicy) sl@0: { sl@0: newAP = new(ELeave) CArrayPtrFlat (1); sl@0: TCleanupItem cleanupPolicies(CleanupPolicyInfoArray, newAP); sl@0: CleanupStack::PushL(cleanupPolicies); sl@0: for (TInt i = 0; i < certPolicyCount; i++) sl@0: { sl@0: CX509CertPolicyInfo* info = CX509CertPolicyInfo::NewLC(*(aPolicyExt.Policies().At(i))); sl@0: newAP->AppendL(info); sl@0: CleanupStack::Pop(); sl@0: } sl@0: iState.iAnyAuthorityPolicy = EFalse; sl@0: } sl@0: else sl@0: { sl@0: newAP = IntersectionLC(aPolicyExt.Policies(), *(iState.iAuthorityConstrainedPolicies)); sl@0: } sl@0: sl@0: TInt mappedCount = iState.iMappedPolicies->Count(); sl@0: for (TInt i = 0; i < mappedCount; i++) sl@0: { sl@0: CX509PolicyMapping* mapping = iState.iMappedPolicies->At(i); sl@0: TInt apCount = iState.iAuthorityConstrainedPolicies->Count(); sl@0: //2 for each mapping in MP, if issuer is in AP and subject is in CP, add subject to newAP sl@0: for (TInt j = 0; j < apCount; j++) sl@0: { sl@0: CX509CertPolicyInfo* aCP = iState.iAuthorityConstrainedPolicies->At(j); sl@0: if (aCP->Id() == mapping->IssuerPolicy()) sl@0: { sl@0: for (TInt k = 0; k < certPolicyCount; k++) sl@0: { sl@0: CX509CertPolicyInfo* cp = aPolicyExt.Policies().At(k); sl@0: if (mapping->SubjectPolicy() == cp->Id()) sl@0: { sl@0: CX509CertPolicyInfo* newPolicy = CX509CertPolicyInfo::NewLC(*cp); sl@0: newAP->AppendL(newPolicy); sl@0: CleanupStack::Pop(); sl@0: } sl@0: } sl@0: } sl@0: } sl@0: } sl@0: //new acceptable policies = intersection sl@0: iState.iAuthorityConstrainedPolicies->ResetAndDestroy(); sl@0: delete iState.iAuthorityConstrainedPolicies; sl@0: iState.iAuthorityConstrainedPolicies = newAP; sl@0: CleanupStack::Pop();//newAP sl@0: } sl@0: sl@0: void TPKIXPolicyConstraint::UpdatePolicyConstraintsL(const CX509Certificate& aCert) sl@0: { sl@0: //get mapping ext sl@0: const CX509CertExtension* ext = aCert.Extension(KPolicyMapping); sl@0: if ((iState.iPos <= iState.iPolicyMapping) && (ext)) sl@0: { sl@0: CX509PolicyMappingExt* policyMappingExt = CX509PolicyMappingExt::NewLC(ext->Data()); sl@0: const CArrayPtrFlat& mappings = policyMappingExt->Mappings(); sl@0: //for each policy mapping sl@0: TInt countM = mappings.Count(); sl@0: for (TInt i = 0; i < countM; i++) sl@0: { sl@0: CX509PolicyMapping* mapping = mappings.At(i); sl@0: CX509PolicyMapping* newMapping = CX509PolicyMapping::NewLC(*mapping); sl@0: iState.iMappedPolicies->AppendL(newMapping); sl@0: CleanupStack::Pop(); sl@0: TInt uCount = iState.iUserPolicies->Count(); sl@0: for (TInt j = 0; j < uCount; j++) sl@0: { sl@0: HBufC* userPolicy = iState.iUserPolicies->At(j); sl@0: if (newMapping->IssuerPolicy() == *userPolicy) sl@0: { sl@0: HBufC* newUP = newMapping->SubjectPolicy().AllocL(); sl@0: CleanupStack::PushL(newUP); sl@0: iState.iUserPolicies->AppendL(newUP); sl@0: CleanupStack::Pop(); sl@0: break; sl@0: } sl@0: } sl@0: } sl@0: CleanupStack::PopAndDestroy();//mapping ext sl@0: } sl@0: iState.iPolicyMapping --; sl@0: iState.iPolicyRequired --; sl@0: //get constraints sl@0: ext = aCert.Extension(KPolicyConstraints); sl@0: if ( ext ) sl@0: { sl@0: CX509PolicyConstraintsExt* policyConstraintsExt = CX509PolicyConstraintsExt::NewLC(ext->Data()); sl@0: UpdateConstraint(policyConstraintsExt->InhibitPolicyMapping(), iState.iPolicyMapping); sl@0: UpdateConstraint(policyConstraintsExt->ExplicitPolicyRequired(), iState.iPolicyRequired); sl@0: CleanupStack::PopAndDestroy();//constraint ext sl@0: //remove it from the 'critical list' sl@0: if (ext->Critical()) sl@0: { sl@0: Remove(*(iState.iCriticalExts), KPolicyConstraints); sl@0: } sl@0: } sl@0: } sl@0: sl@0: //private functions sl@0: TBool TPKIXPolicyConstraint::PolicyIsPresentL( const CArrayPtrFlat& aPolicies, sl@0: const CArrayPtr& aAcceptablePolicies) sl@0: { sl@0: TInt certCount = aPolicies.Count(); sl@0: TInt chainCount = aAcceptablePolicies.Count(); sl@0: for (TInt i = 0; i < certCount; i++) sl@0: { sl@0: CX509CertPolicyInfo* certPolicy = aPolicies.At(i); sl@0: for (TInt j = 0; j < chainCount; j++) sl@0: { sl@0: HBufC* chainPolicy = aAcceptablePolicies.At(j); sl@0: if (certPolicy->Id() == chainPolicy->Des()) sl@0: { sl@0: return ETrue; sl@0: } sl@0: } sl@0: } sl@0: return EFalse; sl@0: } sl@0: sl@0: void TPKIXPolicyConstraint::UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown) sl@0: { sl@0: if (aConstraint.iRequired) sl@0: { sl@0: if (aConstraint.iCountdown < aCountdown) sl@0: aCountdown = aConstraint.iCountdown; sl@0: } sl@0: } sl@0: sl@0: void TPKIXPolicyConstraint::FinishPolicyCheckL() sl@0: { sl@0: if (iState.iUserConstrainedPolicies) sl@0: { sl@0: TBool passed = EFalse; sl@0: if (!(iState.iAnyAuthorityPolicy)) sl@0: {//policy from user policies must be in authority policy set sl@0: if ((PolicyIsPresentL(*(iState.iAuthorityConstrainedPolicies), *(iState.iUserPolicies)))) sl@0: { sl@0: passed = ETrue; sl@0: } sl@0: } sl@0: if (!passed) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ERequiredPolicyNotFound, iState.iPos); sl@0: } sl@0: } sl@0: } sl@0: sl@0: CArrayPtrFlat* TPKIXPolicyConstraint::IntersectionLC( sl@0: const CArrayPtrFlat& aFirst, sl@0: const CArrayPtrFlat& aSecond) sl@0: //constructs an array of certificate policy objects, sl@0: //populating it with policies that occur in both of the array parameters sl@0: { sl@0: CArrayPtrFlat* inter = new(ELeave) CArrayPtrFlat (1); sl@0: TCleanupItem cleanupPolicies(CleanupPolicyInfoArray, inter); sl@0: CleanupStack::PushL(cleanupPolicies); sl@0: TInt count1 = aFirst.Count(); sl@0: TInt count2 = aSecond.Count(); sl@0: for (TInt i = 0; i < count1; i++) sl@0: { sl@0: CX509CertPolicyInfo* policy1 = aFirst.At(i); sl@0: for (TInt j = 0; j < count2; j++) sl@0: { sl@0: CX509CertPolicyInfo* policy2 = aSecond.At(j); sl@0: if (policy1->Id() == policy2->Id()) sl@0: { sl@0: CX509CertPolicyInfo* info = CX509CertPolicyInfo::NewLC(*policy1); sl@0: inter->AppendL(info); sl@0: CleanupStack::Pop(); sl@0: } sl@0: } sl@0: } sl@0: return inter; sl@0: } sl@0: sl@0: //name constraint sl@0: //public functions sl@0: TPKIXNameConstraint::TPKIXNameConstraint( CPKIXValidationState& aState, sl@0: CPKIXValidationResultBase& aResult) sl@0: :TPKIXConstraint(aState, aResult) sl@0: { sl@0: } sl@0: sl@0: void TPKIXNameConstraint::CheckNameConstraintsL(const CX509Certificate& aCert) sl@0: { sl@0: //*do the subject name sl@0: if (NameIsPresentL(aCert.SubjectName(), *(iState.iExcludedDNSubtrees))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos); sl@0: } sl@0: TInt pCount = iState.iPermittedDNSubtrees->Count(); sl@0: if ((pCount > 0) && (!(NameIsPresentL(aCert.SubjectName(), *(iState.iPermittedDNSubtrees))))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos); sl@0: } sl@0: //*do the alt name sl@0: const CX509CertExtension* ext = aCert.Extension(KSubjectAltName); sl@0: if (ext) sl@0: { sl@0: CX509AltNameExt* altNameExt = CX509AltNameExt::NewLC(ext->Data()); sl@0: const CArrayPtrFlat& altName = altNameExt->AltName(); sl@0: TInt count = altName.Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: const CX509GeneralName* gN = altName.At(i); sl@0: switch (gN->Tag()) sl@0: { sl@0: case EX509DirectoryName://X500DN sl@0: { sl@0: const CX500DistinguishedName* dN = CX500DistinguishedName::NewLC(gN->Data()); sl@0: if (NameIsPresentL(*dN, *(iState.iExcludedDNSubtrees))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos); sl@0: } sl@0: if ((pCount > 0) && (!(NameIsPresentL(*dN, *(iState.iPermittedDNSubtrees))))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos); sl@0: } sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: case EX509RFC822Name://IA5String sl@0: { sl@0: const CX509RFC822Name* name = CX509RFC822Name::NewLC(gN->Data()); sl@0: if (NameIsPresent(*name, *(iState.iExcludedRFC822Subtrees))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos); sl@0: } sl@0: if ((iState.iPermittedRFC822Subtrees->Count() > 0) && (!(NameIsPresent(*name, *(iState.iPermittedRFC822Subtrees))))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos); sl@0: } sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: case EX509URI://IA5String sl@0: { sl@0: const CX509IPBasedURI* name = CX509IPBasedURI::NewLC(gN->Data()); sl@0: const CX509DNSName& domain = name->Host(); sl@0: if (NameIsPresent(domain, *(iState.iExcludedDNSNameSubtrees))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos); sl@0: } sl@0: if ((iState.iPermittedDNSNameSubtrees->Count() > 0) && (!(NameIsPresent(domain, *(iState.iPermittedDNSNameSubtrees))))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos); sl@0: } sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: case EX509DNSName://IA5String sl@0: { sl@0: const CX509DNSName* name = CX509DNSName::NewLC(gN->Data()); sl@0: if (NameIsPresent(*name, *(iState.iExcludedDNSNameSubtrees))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos); sl@0: } sl@0: if ((iState.iPermittedDNSNameSubtrees->Count() > 0) && (!(NameIsPresent(*name, *(iState.iPermittedDNSNameSubtrees))))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos); sl@0: } sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: case EX509IPAddress://octet string sl@0: { sl@0: const CX509IPAddress* name = CX509IPAddress::NewLC(gN->Data()); sl@0: if (NameIsPresent(*name, *(iState.iExcludedIPAddressSubtrees))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameIsExcluded, iState.iPos); sl@0: } sl@0: if ((iState.iPermittedIPAddressSubtrees->Count() > 0) && (!(NameIsPresent(*name, *(iState.iPermittedIPAddressSubtrees))))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENameNotPermitted, iState.iPos); sl@0: } sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: } sl@0: }//end of for loop sl@0: //we've handled this now, so can remove it from the critical list sl@0: Remove(*(iState.iCriticalExts), KSubjectAltName); sl@0: CleanupStack::PopAndDestroy();//altNameExt sl@0: }//end of if(ext) sl@0: } sl@0: sl@0: void TPKIXNameConstraint::UpdateNameConstraintsL(const CX509Certificate& aCert) sl@0: { sl@0: const CX509CertExtension* ext = aCert.Extension(KNameConstraints); sl@0: if (ext) sl@0: { sl@0: CX509NameConstraintsExt* nameCons = CX509NameConstraintsExt::NewLC(ext->Data()); sl@0: const CArrayPtrFlat& excSubtrees = nameCons->ExcludedSubtrees(); sl@0: TInt count = excSubtrees.Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: const CX509GeneralSubtree* subtree = excSubtrees.At(i); sl@0: const CX509GeneralName& gN = subtree->Name(); sl@0: switch (gN.Tag()) sl@0: { sl@0: case EX509DirectoryName://X500DN sl@0: { sl@0: CX500DistinguishedName* name = CX500DistinguishedName::NewLC(gN.Data()); sl@0: iState.iExcludedDNSubtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: case EX509RFC822Name://IA5String sl@0: { sl@0: CX509RFC822Name* name = CX509RFC822Name::NewLC(gN.Data()); sl@0: iState.iExcludedRFC822Subtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: case EX509URI://IA5String sl@0: { sl@0: CX509IPBasedURI* name = CX509IPBasedURI::NewLC(gN.Data()); sl@0: CX509DNSName* domain = CX509DNSName::NewLC(name->Host()); sl@0: iState.iExcludedDNSNameSubtrees->AppendL(domain); sl@0: CleanupStack::Pop(); sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: case EX509DNSName://IA5String sl@0: { sl@0: CX509DNSName* name = CX509DNSName::NewLC(gN.Data()); sl@0: iState.iExcludedDNSNameSubtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: case EX509IPAddress://octet string sl@0: { sl@0: CX509IPSubnetMask* name = CX509IPSubnetMask::NewLC(gN.Data()); sl@0: iState.iExcludedIPAddressSubtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: default: sl@0: { sl@0: User::Leave(KErrNotSupported); sl@0: } sl@0: break; sl@0: } sl@0: }//end of for loop sl@0: const CArrayPtrFlat& perSubtrees = nameCons->PermittedSubtrees(); sl@0: count = perSubtrees.Count(); sl@0: for (TInt j = 0; j < count; j++) sl@0: { sl@0: const CX509GeneralSubtree* subtree = perSubtrees.At(j); sl@0: const CX509GeneralName& gN = subtree->Name(); sl@0: switch (gN.Tag()) sl@0: { sl@0: case EX509DirectoryName://X500DN sl@0: { sl@0: CX500DistinguishedName* name = CX500DistinguishedName::NewLC(gN.Data()); sl@0: iState.iPermittedDNSubtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: case EX509RFC822Name://IA5String sl@0: { sl@0: CX509RFC822Name* name = CX509RFC822Name::NewLC(gN.Data()); sl@0: iState.iPermittedRFC822Subtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: case EX509URI://IA5String sl@0: { sl@0: CX509IPBasedURI* name = CX509IPBasedURI::NewLC(gN.Data()); sl@0: CX509DNSName* domain = CX509DNSName::NewLC(name->Host()); sl@0: iState.iPermittedDNSNameSubtrees->AppendL(domain); sl@0: CleanupStack::Pop(); sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: break; sl@0: case EX509DNSName://IA5String sl@0: { sl@0: CX509DNSName* name = CX509DNSName::NewLC(gN.Data()); sl@0: iState.iPermittedDNSNameSubtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: case EX509IPAddress://octet string sl@0: { sl@0: CX509IPSubnetMask* name = CX509IPSubnetMask::NewLC(gN.Data()); sl@0: iState.iPermittedIPAddressSubtrees->AppendL(name); sl@0: CleanupStack::Pop(); sl@0: } sl@0: break; sl@0: default: sl@0: { sl@0: User::Leave(KErrNotSupported); sl@0: } sl@0: break; sl@0: } sl@0: }//end of for loop sl@0: CleanupStack::PopAndDestroy();//nameConsExt sl@0: //we've handled this now, so can remove it from the critical list sl@0: Remove(*(iState.iCriticalExts), KNameConstraints); sl@0: }//end of if(ext) sl@0: } sl@0: sl@0: sl@0: //private functions sl@0: TBool TPKIXNameConstraint::NameIsPresentL( const CX500DistinguishedName& aSubject, sl@0: const CArrayPtrFlat& aSubtrees) sl@0: { sl@0: TInt count = aSubtrees.Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: const CX500DistinguishedName* excluded = aSubtrees.At(i); sl@0: if (aSubject.IsWithinSubtreeL(*excluded)) sl@0: { sl@0: return ETrue; sl@0: } sl@0: } sl@0: return EFalse; sl@0: } sl@0: sl@0: TBool TPKIXNameConstraint::NameIsPresent( const CX509DomainName& aSubject, sl@0: const CArrayPtrFlat& aSubtrees) sl@0: { sl@0: TInt count = aSubtrees.Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: const CX509DomainName* excluded = aSubtrees.At(i); sl@0: if (aSubject.IsWithinSubtree(*excluded)) sl@0: { sl@0: return ETrue; sl@0: } sl@0: } sl@0: return EFalse; sl@0: } sl@0: sl@0: TBool TPKIXNameConstraint::NameIsPresent( const CX509IPAddress& aSubject, sl@0: const CArrayPtrFlat& aSubtrees) sl@0: { sl@0: TInt count = aSubtrees.Count(); sl@0: for (TInt i = 0; i < count; i++) sl@0: { sl@0: const CX509IPSubnetMask* excluded = aSubtrees.At(i); sl@0: if (aSubject.IsWithinSubtree(*excluded)) sl@0: { sl@0: return ETrue; sl@0: } sl@0: } sl@0: return EFalse; sl@0: } sl@0: sl@0: //basic constraint sl@0: TPKIXBasicConstraint::TPKIXBasicConstraint( CPKIXValidationState& aState, sl@0: CPKIXValidationResultBase& aResult) sl@0: :TPKIXConstraint(aState, aResult) sl@0: { sl@0: } sl@0: sl@0: void TPKIXBasicConstraint::CheckCertSubjectTypeL(const CX509Certificate& aCert) sl@0: { sl@0: TBool markedAsCA = EFalse; sl@0: TBool actsAsCA = iState.iPos > 0; sl@0: const CX509CertExtension* ext = aCert.Extension(KBasicConstraints); sl@0: if (ext) sl@0: { sl@0: CX509BasicConstraintsExt* basic = CX509BasicConstraintsExt::NewLC(ext->Data()); sl@0: markedAsCA = basic->IsCA(); sl@0: CleanupStack::PopAndDestroy(); sl@0: } sl@0: if (actsAsCA && (!markedAsCA)) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENotCACert, iState.iPos); sl@0: } sl@0: } sl@0: sl@0: void TPKIXBasicConstraint::UpdatePathLengthConstraintsL(const CX509Certificate& aCert) sl@0: { sl@0: const CX509CertExtension* ext = aCert.Extension(KBasicConstraints); sl@0: if (ext) sl@0: { sl@0: CX509BasicConstraintsExt* basic = CX509BasicConstraintsExt::NewLC(ext->Data()); sl@0: TInt pathLength = basic->MaxChainLength(); sl@0: if (pathLength < 0) sl@0: { sl@0: iResult.SetErrorAndLeaveL(ENegativePathLengthSpecified, iState.iPos); sl@0: } sl@0: if (iState.iPos > pathLength) sl@0: { sl@0: iState.iMaxPathLength = pathLength + 1; sl@0: } sl@0: Remove(*(iState.iCriticalExts), KBasicConstraints); sl@0: CleanupStack::PopAndDestroy();//basic sl@0: } sl@0: } sl@0: sl@0: //key usage constraint sl@0: TPKIXKeyUsageConstraint::TPKIXKeyUsageConstraint( CPKIXValidationState& aState, sl@0: CPKIXValidationResultBase& aResult) sl@0: :TPKIXConstraint(aState, aResult) sl@0: { sl@0: } sl@0: sl@0: void TPKIXKeyUsageConstraint::CheckKeyUsageL(const CX509Certificate& aCert) sl@0: { sl@0: //if key usage is critical and this is a CA cert, the keyCertSign bit must be set sl@0: const CX509CertExtension* ext = aCert.Extension(KKeyUsage); sl@0: if (ext) sl@0: { sl@0: CX509KeyUsageExt* keyUsage = CX509KeyUsageExt::NewLC(ext->Data()); sl@0: if ( (iState.iPos > 0) && (!(keyUsage->IsSet(EX509KeyCertSign)))) sl@0: { sl@0: iResult.SetErrorAndLeaveL(EBadKeyUsage, iState.iPos); sl@0: } sl@0: CleanupStack::PopAndDestroy(); sl@0: //we've processed this critical ext, so remove it sl@0: Remove(*(iState.iCriticalExts), KKeyUsage); sl@0: } sl@0: }