| class COCSPDelegateAuthorisationScheme : public CActive |
Implement part of S2.2.2 of RFC 2560.
"a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA."
| Public Member Functions | |
|---|---|
| ~COCSPDelegateAuthorisationScheme() | |
| void | CancelValidate() |
| IMPORT_C COCSPDelegateAuthorisationScheme * | NewLC(MCertStore &) |
| const CX509Certificate * | ResponderCert() |
| void | ValidateL(OCSP::TStatus &, COCSPResponse &, const TTime, TRequestStatus &, const COCSPRequest &) |
| Protected Member Functions | |
|---|---|
| void | DoCancel() |
| TInt | RunError(TInt) |
| void | RunL() |
| Private Member Functions | |
|---|---|
| COCSPDelegateAuthorisationScheme(MCertStore &) | |
| void | ConstructL() |
| void | OnChainValidationL() |
| void | OnRetrieveNextL() |
| void | OnRetrievingEntryL() |
| void | ValidateDelegateCertL(const TDesC8 &, const TTime) |
| void | ValidateFromRootsL() |
| Private Member Enumerations | |
|---|---|
| enum | TDelegateAuthState { EOnChainValidation, ERetrieveNext, ERetrievingEntry } |
| Inherited Enumerations | |
|---|---|
| CActive:TPriority | |
| Inherited Attributes | |
|---|---|
| CActive::iStatus | |
| COCSPDelegateAuthorisationScheme | ( | MCertStore & | aCertStore | ) | [private] |
Initializes the CActive base class object and adds this object to the active scheduler.
| MCertStore & aCertStore | Cert store interface. This is only used to construct a certificate chain builder with CPKIXCertChainBase::NewL(). Certificates from the store are not used for validation if the response contains the responder certificate. If it does not contain the responder cert then validation would be done from store. |
| ~COCSPDelegateAuthorisationScheme | ( | ) | [virtual] |
Cancels any outstanding validation and frees all resources owned by this object.
| void | CancelValidate | ( | ) | [virtual] |
Implement MOCSPAuthorisationScheme. This is an active object, and this function just calls Cancel(). See DoCancel() for information about the cancellation process.
| void | ConstructL | ( | ) | [private] |
Strictly, none of the resources owned by this object are required for all of its lifetime need to be preserved between validations.
Some of the resources, such as the CPKIXCertChain instance have to be reallocated for every validation.
The resources which can be allocated for the lifetime of this object are allocated here. This improves performance and simplifies the validation process, at a RAM cost.
| void | DoCancel | ( | ) | [protected, virtual] |
If a validation request is outstanding, then it is cancelled. This objects client, i.e. the owner of the TRequestStatus which was passed to Validate(), is completed with KErrCancel.
| IMPORT_C COCSPDelegateAuthorisationScheme * | NewLC | ( | MCertStore & | aCertStore | ) | [static] |
Factory function allocates new instance of COCSPDelegateAuthorisationScheme.
| MCertStore & aCertStore | Cert store interface. This is used to construct a certificate chain builder with CPKIXCertChainBase::NewL(). Certificates from the store are not used for validation if the response contains the responder certificate. If it does not contain the responder cert then validation would be done from store. |
| void | OnRetrieveNextL | ( | ) | [private] |
For list of certificate entries in the store retrieve each certificate.
| void | OnRetrievingEntryL | ( | ) | [private] |
Once the certificate has been retrieved from the store, it should be sent for chain validation. This intermediate state is required so that we can retrieve the certificate from the store.
| void | RunL | ( | ) | [protected, virtual] |
Handles an active object's request completion event.
A derived class must provide an implementation to handle the completed request. If appropriate, it may issue another request.
The function is called by the active scheduler when a request completion event occurs, i.e. after the active scheduler's WaitForAnyRequest() function completes.
Before calling this active object's RunL() function, the active scheduler has:
1. decided that this is the highest priority active object with a completed request
2. marked this active object's request as complete (i.e. the request is no longer outstanding)
RunL() runs under a trap harness in the active scheduler. If it leaves, then the active scheduler calls RunError() to handle the leave.
Note that once the active scheduler's Start() function has been called, all user code is run under one of the program's active object's RunL() or RunError() functions.
CActiveScheduler::Start CActiveScheduler::Error CActiveScheduler::WaitForAnyRequest TRAPD
| void | ValidateDelegateCertL | ( | const TDesC8 & | aResponseCertChain, |
| const TTime | aValidationTime | |||
| ) | [private] | |||
Initialize this object to validate the certificate which was sent with the response against the CA which was used to sign the certificate in question.
| void | ValidateFromRootsL | ( | ) | [private] |
Initiates request to retrieve the responder certificate from store.
| void | ValidateL | ( | OCSP::TStatus & | aOCSPStatus, |
| COCSPResponse & | aResponse, | |||
| const TTime | aValidationTime, | |||
| TRequestStatus & | aStatus, | |||
| const COCSPRequest & | aRequest | |||
| ) | [virtual] | |||
Implement MOCSPAuthorisationScheme.
Validate the response if it is signed by an immediate delegate of the intermediate entity. I.e. if the request has the form (T->I) (I->E)
where T is trusted (at least for the purposes of this validation) and I is an intermediate, the response can be signed by R if (I->R).
I is the CA, and can be equal to T, i.e. the certificate which is being tested for revocation can be signed by a root certificate.
R must be immediately signed by I, and must have id-kp-OCSPSigning in its extended key usage. (RFC 2560 S4.2.2.2)
| OCSP::TStatus & aOCSPStatus | |
| COCSPResponse & aResponse | |
| const TTime aValidationTime | |
| TRequestStatus & aStatus | |
| const COCSPRequest & aRequest |
| MCertStore & | iCertStore | [private] |
This is a required argument for CPKIXCertChainBase, even though no certificates are used from the store.
| RMPointerArray< CCTCertInfo > | iCertStoreEntries | [private] |
| TRequestStatus * | iClientStatus | [private] |
Pointer to client's request status. This is recorded on the call to Validate() and used to notify the client of completion later.
| OCSP::TStatus * | iOCSPStatus | [private] |
Pointer to client's OSCP status. This object sets the status according to the result of the validation. If the validation cannot be carried out, the default value is OCSP::EResponseSignatureValidationFailure.
| CPKIXValidationResultBase * | iPKIXResultBase | [private] |
The cert chain stores the validation result in this object.
iRespSignCertChain;
| CPKIXCertChainBase * | iRespSignCertChainBase | [private] |
This object is used to chain the response signer back to the CA.
| RPointerArray< CX509Certificate > | iRespSignIntCert | [private] |
Array used to hold pointer to issuer cert. This contains the pointer to the CA.
| COCSPResponse * | iResponse | [private] |
Response from OCSP server. Once it has been established that the certificate sent with the response is an authorised responder for the CA, the response is checked to ensure that it really is signed by that certificate.
This is not const because, if DSA is used, then SetParametersL() will be called on the response before the signature is verified.
Copyright ©2010 Nokia Corporation and/or its subsidiary(-ies).
All rights
reserved. Unless otherwise stated, these materials are provided under the terms of the Eclipse Public License
v1.0.