COCSPDelegateAuthorisationScheme Class Reference

class COCSPDelegateAuthorisationScheme : public CActive

Implement part of S2.2.2 of RFC 2560.

"a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA."

Inherits from

Public Member Functions
~COCSPDelegateAuthorisationScheme ()
void CancelValidate ()
IMPORT_C COCSPDelegateAuthorisationScheme * NewLC ( MCertStore &)
const CX509Certificate * ResponderCert ()
void ValidateL ( OCSP::TStatus &, COCSPResponse &, const TTime , TRequestStatus &, const COCSPRequest &)
Protected Member Functions
void DoCancel ()
TInt RunError ( TInt )
void RunL ()
Private Member Functions
COCSPDelegateAuthorisationScheme ( MCertStore &)
void ConstructL ()
void OnChainValidationL ()
void OnRetrieveNextL ()
void OnRetrievingEntryL ()
void ValidateDelegateCertL (const TDesC8 &, const TTime )
void ValidateFromRootsL ()
Inherited Functions
CActive::CActive(TInt)
CActive::Cancel()
CActive::Deque()
CActive::Extension_(TUint,TAny *&,TAny *)
CActive::IsActive()const
CActive::IsAdded()const
CActive::Priority()const
CActive::SetActive()
CActive::SetPriority(TInt)
CActive::~CActive()
CBase::CBase()
CBase::Delete(CBase *)
CBase::operator new(TUint)
CBase::operator new(TUint,TAny *)
CBase::operator new(TUint,TLeave)
CBase::operator new(TUint,TLeave,TUint)
CBase::operator new(TUint,TUint)
CBase::~CBase()
Private Member Enumerations
enum TDelegateAuthState { EOnChainValidation , ERetrieveNext , ERetrievingEntry }
Inherited Enumerations
CActive:TPriority
Private Attributes
TInt iCertCount
CCertAttributeFilter * iCertFilter
MCertStore & iCertStore
RMPointerArray < CCTCertInfo > iCertStoreEntries
TRequestStatus * iClientStatus
HBufC8 * iEncodedCert
OCSP::TStatus * iOCSPStatus
CPKIXValidationResultBase * iPKIXResultBase
const COCSPRequest * iRequest
CPKIXCertChainBase * iRespSignCertChainBase
RPointerArray < CX509Certificate > iRespSignIntCert
COCSPResponse * iResponse
const CX509Certificate * iResponseCert
TDelegateAuthState iState
TBool iValidateFromResponse
TTime iValidationTime
Inherited Attributes
CActive::iStatus

Constructor & Destructor Documentation

COCSPDelegateAuthorisationScheme(MCertStore &)

COCSPDelegateAuthorisationScheme ( MCertStore & aCertStore ) [private]

Initializes the CActive base class object and adds this object to the active scheduler.

Parameters

MCertStore & aCertStore Cert store interface. This is only used to construct a certificate chain builder with CPKIXCertChainBase::NewL(). Certificates from the store are not used for validation if the response contains the responder certificate. If it does not contain the responder cert then validation would be done from store.

~COCSPDelegateAuthorisationScheme()

~COCSPDelegateAuthorisationScheme ( ) [virtual]

Cancels any outstanding validation and frees all resources owned by this object.

Member Functions Documentation

CancelValidate()

void CancelValidate ( ) [virtual]

Implement MOCSPAuthorisationScheme . This is an active object, and this function just calls Cancel() . See DoCancel() for information about the cancellation process.

DoCancel

ConstructL()

void ConstructL ( ) [private]

Strictly, none of the resources owned by this object are required for all of its lifetime need to be preserved between validations.

Some of the resources, such as the CPKIXCertChain instance have to be reallocated for every validation.

The resources which can be allocated for the lifetime of this object are allocated here. This improves performance and simplifies the validation process, at a RAM cost.

DoCancel()

void DoCancel ( ) [protected, virtual]

If a validation request is outstanding, then it is cancelled. This objects client, i.e. the owner of the TRequestStatus which was passed to Validate(), is completed with KErrCancel.

NewLC(MCertStore &)

IMPORT_C COCSPDelegateAuthorisationScheme * NewLC ( MCertStore & aCertStore ) [static]

Factory function allocates new instance of COCSPDelegateAuthorisationScheme .

Parameters

MCertStore & aCertStore Cert store interface. This is used to construct a certificate chain builder with CPKIXCertChainBase::NewL(). Certificates from the store are not used for validation if the response contains the responder certificate. If it does not contain the responder cert then validation would be done from store.

OnChainValidationL()

void OnChainValidationL ( ) [private]

OnRetrieveNextL()

void OnRetrieveNextL ( ) [private]

For list of certificate entries in the store retrieve each certificate.

OnRetrievingEntryL()

void OnRetrievingEntryL ( ) [private]

Once the certificate has been retrieved from the store, it should be sent for chain validation. This intermediate state is required so that we can retrieve the certificate from the store.

ResponderCert()

const CX509Certificate * ResponderCert ( ) const

Returns the responder certificate.

RunError(TInt)

TInt RunError ( TInt aError ) [protected, virtual]

Parameters

TInt aError

RunL()

void RunL ( ) [protected, virtual]

Handles an active object's request completion event.

A derived class must provide an implementation to handle the completed request. If appropriate, it may issue another request.

The function is called by the active scheduler when a request completion event occurs, i.e. after the active scheduler's WaitForAnyRequest() function completes.

Before calling this active object's RunL() function, the active scheduler has:

1. decided that this is the highest priority active object with a completed request

2. marked this active object's request as complete (i.e. the request is no longer outstanding)

RunL() runs under a trap harness in the active scheduler. If it leaves, then the active scheduler calls RunError() to handle the leave.

Note that once the active scheduler's Start() function has been called, all user code is run under one of the program's active object's RunL() or RunError() functions.

CActiveScheduler::Start CActiveScheduler::Error CActiveScheduler::WaitForAnyRequest TRAPD

ValidateDelegateCertL(const TDesC8 &, const TTime)

void ValidateDelegateCertL ( const TDesC8 & aResponseCertChain,
const TTime aValidationTime
) [private]

Initialize this object to validate the certificate which was sent with the response against the CA which was used to sign the certificate in question.

Post-condition
If successful, asynchronous validation will be set up.

Parameters

const TDesC8 & aResponseCertChain DER-encoded cert chain that was either sent with the response. or was retrieved from the store as a single certificate.
const TTime aValidationTime Time to be used for chain validation of the delegate certificate.

ValidateFromRootsL()

void ValidateFromRootsL ( ) [private]

Initiates request to retrieve the responder certificate from store.

ValidateL(OCSP::TStatus &, COCSPResponse &, const TTime, TRequestStatus &, const COCSPRequest &)

void ValidateL ( OCSP::TStatus & aOCSPStatus,
COCSPResponse & aResponse,
const TTime aValidationTime,
TRequestStatus & aStatus,
const COCSPRequest & aRequest
) [virtual]

Implement MOCSPAuthorisationScheme .

Validate the response if it is signed by an immediate delegate of the intermediate entity. I.e. if the request has the form (T->I) (I->E)

where T is trusted (at least for the purposes of this validation) and I is an intermediate, the response can be signed by R if (I->R).

I is the CA, and can be equal to T, i.e. the certificate which is being tested for revocation can be signed by a root certificate.

R must be immediately signed by I, and must have id-kp-OCSPSigning in its extended key usage. (RFC 2560 S4.2.2.2)

Parameters

OCSP::TStatus & aOCSPStatus
COCSPResponse & aResponse
const TTime aValidationTime
TRequestStatus & aStatus
const COCSPRequest & aRequest

Member Enumerations Documentation

Enum TDelegateAuthState

Enumerators

EOnChainValidation
ERetrieveNext
ERetrievingEntry

Member Data Documentation

TInt iCertCount

TInt iCertCount [private]

CCertAttributeFilter * iCertFilter

CCertAttributeFilter * iCertFilter [private]

MCertStore & iCertStore

MCertStore & iCertStore [private]

This is a required argument for CPKIXCertChainBase , even though no certificates are used from the store.

RMPointerArray< CCTCertInfo > iCertStoreEntries

RMPointerArray < CCTCertInfo > iCertStoreEntries [private]

TRequestStatus * iClientStatus

TRequestStatus * iClientStatus [private]

Pointer to client's request status. This is recorded on the call to Validate() and used to notify the client of completion later.

HBufC8 * iEncodedCert

HBufC8 * iEncodedCert [private]

OCSP::TStatus * iOCSPStatus

OCSP::TStatus * iOCSPStatus [private]

Pointer to client's OSCP status. This object sets the status according to the result of the validation. If the validation cannot be carried out, the default value is OCSP::EResponseSignatureValidationFailure.

CPKIXValidationResultBase * iPKIXResultBase

CPKIXValidationResultBase * iPKIXResultBase [private]

The cert chain stores the validation result in this object.

iRespSignCertChain;

const COCSPRequest * iRequest

const COCSPRequest * iRequest [private]

CPKIXCertChainBase * iRespSignCertChainBase

CPKIXCertChainBase * iRespSignCertChainBase [private]

This object is used to chain the response signer back to the CA.

RPointerArray< CX509Certificate > iRespSignIntCert

RPointerArray < CX509Certificate > iRespSignIntCert [private]

Array used to hold pointer to issuer cert. This contains the pointer to the CA.

COCSPResponse * iResponse

COCSPResponse * iResponse [private]

Response from OCSP server. Once it has been established that the certificate sent with the response is an authorised responder for the CA, the response is checked to ensure that it really is signed by that certificate.

This is not const because, if DSA is used, then SetParametersL() will be called on the response before the signature is verified.

const CX509Certificate * iResponseCert

const CX509Certificate * iResponseCert [private]

TDelegateAuthState iState

TDelegateAuthState iState [private]

TBool iValidateFromResponse

TBool iValidateFromResponse [private]

TTime iValidationTime

TTime iValidationTime [private]