2 * Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies).
4 * This component and the accompanying materials are made available
5 * under the terms of the License "Eclipse Public License v1.0"
6 * which accompanies this distribution, and is available
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html".
9 * Initial Contributors:
10 * Nokia Corporation - initial contribution.
15 * General Security Definitions
27 #ifndef __SECURITYDEFS_H__
28 #define __SECURITYDEFS_H__
33 /** General Security Definitions */
35 // Old keystore interface, deprecated //////////////////////////////////////////
38 * What a key can be used for.
39 * The values this can take are defined in TKeyUsageVals.
44 typedef TInt TKeyUsage;
47 * What a key can be used for.
49 * These values can be ORed together if a key has several usages. EAllKeyUsages
50 * is used when searching for all keys, rather than ones with a particular
51 * usage. As these can be combined, TKeyUsage is used to store them.
58 EDigitalSignature = 0x80000000,
59 ENonRepudiation = 0x40000000,
60 EKeyEncipherment = 0x20000000,
61 EDataEncipherment = 0x10000000,
62 EKeyAgreement = 0x08000000,
63 EKeyCertSign = 0x04000000,
64 ECRLSign = 0x02000000,
65 EEncipherOnly = 0x01000000,
66 EDecipherOnly = 0x00800000,
70 // End of deprecated keystore API //////////////////////////////////////////////
73 * What a key can be used for - PKCS#15 scheme.
80 EPKCS15UsageEncrypt = 0x001,
81 EPKCS15UsageDecrypt = 0x002,
82 EPKCS15UsageSign = 0x004,
83 EPKCS15UsageSignRecover = 0x008,
84 EPKCS15UsageWrap = 0x010,
85 EPKCS15UsageUnwrap = 0x020,
86 EPKCS15UsageVerify = 0x040,
87 EPKCS15UsageVerifyRecover = 0x080,
88 EPKCS15UsageDerive = 0x100,
89 EPKCS15UsageNonRepudiation = 0x200,
90 // Common combinations
91 EPKCS15UsageEncryptWrap = 0x011,
92 EPKCS15UsageVerifyVerifyRecover = 0x0C0,
93 EPKCS15UsageDecryptUnwrap = 0x022,
94 EPKCS15UsageSignSignRecover = 0x00C,
95 EPKCS15UsageVerifyEncrypt = 0x0D1,
96 EPKCS15UsageSignDecrypt = 0x02E,
97 // For use in filters to return all keys
98 EPKCS15UsageAll = 0xffffffff,
99 EPKCS15UsageNone = 0x00000000
102 inline TKeyUsagePKCS15 operator|(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight);
103 inline TKeyUsagePKCS15 operator&(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight);
104 inline const TKeyUsagePKCS15& operator|=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight);
105 inline const TKeyUsagePKCS15& operator&=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight);
108 * What a key can be used for - X.509 scheme.
115 EX509UsageDigitalSignature = 0x80000000,
116 EX509UsageNonRepudiation = 0x40000000,
117 EX509UsageKeyEncipherment = 0x20000000,
118 EX509UsageDataEncipherment = 0x10000000,
119 EX509UsageKeyAgreement = 0x08000000,
120 EX509UsageKeyCertSign = 0x04000000,
121 EX509UsageCRLSign = 0x02000000,
122 EX509UsageEncipherOnly = 0x01000000,
123 EX509UsageDecipherOnly = 0x00800000,
124 // Values for commonly permitted combinations
125 EX509UsageAnySign = 0x86000000,
126 EX509UsageAllEncipher = 0x30000000,
127 EX509UsageAllSignEncipher = 0xB6000000,
128 /// For use in filters to return all keys
129 EX509UsageAll = 0xffffffff,
130 EX509UsageNone = 0x00000000
133 inline TKeyUsageX509 operator|(TKeyUsageX509 aLeft, TKeyUsageX509 aRight);
134 inline TKeyUsageX509 operator&(TKeyUsageX509 aLeft, TKeyUsageX509 aRight);
135 inline const TKeyUsageX509& operator|=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight);
136 inline const TKeyUsageX509& operator&=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight);
144 IMPORT_C TKeyUsageX509 KeyUsagePKCS15ToX509(TKeyUsagePKCS15 aUsage);
152 IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Private(TKeyUsageX509 aUsage);
160 IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Public(TKeyUsageX509 aUsage);
163 * Supported types of certificate format. Note these must be only 1 byte long as
164 * the file cert store only seralises them as 1 byte.
169 enum TCertificateFormat
171 EX509Certificate = 0x00,
172 EWTLSCertificate = 0x01,
173 EX968Certificate = 0x02,
174 EUnknownCertificate = 0x0f,
175 EX509CertificateUrl = 0x10,
176 EWTLSCertificateUrl = 0x11,
177 EX968CertificateUrl = 0x12
181 * The owner of a certificate.
186 enum TCertificateOwnerType
193 /** The length of a SHA-1 hash
198 const TInt KSHA1HashLengthBytes = 20;
206 typedef TBuf8<KSHA1HashLengthBytes> TSHA1Hash;
208 //const TInt KMD5HashLengthBytes = 16;
209 //typedef TMD5Hash TBufC8<KMD5HashLengthBytes>;
212 * A SHA-1 hash is also used as a key identifier.
217 typedef TSHA1Hash TKeyIdentifier;
220 * Errors that can occur when validating a certificate chain.
222 * Except EValidatedOK, all these are fatal errors unless specified.
227 enum TValidationError
231 /** Certificate chain has no root */
233 /** Invalid signature */
235 /** Date out of range */
237 /** Name is excluded */
239 /** Name is not permitted */
240 ENameNotPermitted, //subtle difference here!
241 /** Not a CA certificate */
243 /** Certificate revoked */
245 /** Unrecognized critical extension */
246 EUnrecognizedCriticalExtension,
247 /** No basic constraint in CA certificate */
248 ENoBasicConstraintInCACert,
249 /** No acceptable policy */
253 /** Negative path length specified */
254 ENegativePathLengthSpecified,
255 /** Names do not chain */
257 /** Required policy not found */
258 ERequiredPolicyNotFound,
262 * Root certificate not self-signed.
264 * We cannot tell if this is fatal or not, as we lack the context.
266 ERootCertNotSelfSigned,
268 * Critical extended key usage
270 * We cannot tell if this is fatal or not, as we lack the context.
272 ECriticalExtendedKeyUsage,
274 * Critical certificate policies with qualifiers
276 * We cannot tell if this is fatal or not, as we lack the context.
278 ECriticalCertPoliciesWithQualifiers,
280 * Critical policy mapping
282 * We cannot tell if this is fatal or not, as we lack the context.
284 ECriticalPolicyMapping,
288 * We cannot tell if this is fatal or not, as we lack the context.
294 * We cannot tell if this is fatal or not, as we lack the context.
300 * We cannot tell if this is fatal or not, as we lack the context.
304 * Critical Capabilities
306 * We cannot tell if this is fatal or not, as we lack the context.
308 ECriticalCapabilities
311 // Certificate Applicability UIDs
314 * This UID is associated with certificates which are trusted for
315 * software installation of native applications.
317 * @see MCertStore::Applications
318 * @see MCTWritableCertStore::SetApplicability
323 const TUid KSwiApplicabilityUid = {0x100042AB};
326 * This UID is associated with certificates which are trusted for
329 * @see MCertStore::Applications
330 * @see MCTWritableCertStore::SetApplicability
335 const TUid KSwiOcspApplicabilityUid = {0x1000A8B6};
338 * This UID is associated with certificates which are trusted for
339 * Java midlet installation.
341 * @see MCertStore::Applications
342 * @see MCTWritableCertStore::SetApplicability
347 const TUid KMidletInstallApplicabilityUid = {0x101F9B28};
350 * This UID is associated with certificates which are trusted for
351 * SSL/TLS connectivity.
353 * @see MCertStore::Applications
354 * @see MCTWritableCertStore::SetApplicability
359 const TUid KTlsApplicabilityUid = {0x1000183D};
362 * This OID is associated with X.509 certificates
363 * trusted for TLS WWW server authentication.
368 _LIT(KServerAuthOID,"1.3.6.1.5.5.7.3.1");
371 * This OID is associated with X.509 certificates
372 * trusted for TLS WWW client authentication.
378 _LIT(KClientAuthOID,"1.3.6.1.5.5.7.3.2");
381 * This OID is associated with X.509 certificates
382 * trusted for signing of downloadable executable code.
387 _LIT(KCodeSigningOID,"1.3.6.1.5.5.7.3.3");
390 * This OID is associated with X.509 certificates
391 * trusted for email protection .
396 _LIT(KEmailProtectionOID,"1.3.6.1.5.5.7.3.4");
399 * This OID is associated with X.509 certificates
400 * trusted for Ipsec end system.
405 _LIT(KIpsecEndSystemOID,"1.3.6.1.5.5.7.3.5");
408 * This OID is associated with X.509 certificates
409 * trusted for Ipsec tunnel.
414 _LIT(KIpsecTunnelOID,"1.3.6.1.5.5.7.3.6");
417 * This OID is associated with X.509 certificates
418 * trusted for Ipsec user.
423 _LIT(KIpsecUserOID, "1.3.6.1.5.5.7.3.7");
426 * This OID is associated with X.509 certificates
427 * trusted for binding the hash of an object to a time.
432 _LIT(KTimeStampingOID,"1.3.6.1.5.5.7.3.8");
435 * This OID is associated with X.509 certificates
436 * trusted for signing OCSP responses.
441 _LIT(KOCSPSigningOID,"1.3.6.1.5.5.7.3.9");
445 #include "securitydefs.inl"