1 securitydefs.h |
1 /* |
|
2 * Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * General Security Definitions |
|
16 * |
|
17 */ |
|
18 |
|
19 |
|
20 |
|
21 |
|
22 /** |
|
23 @file |
|
24 @internalAll |
|
25 */ |
|
26 |
|
27 #ifndef __SECURITYDEFS_H__ |
|
28 #define __SECURITYDEFS_H__ |
|
29 |
|
30 #include <e32std.h> |
|
31 #include <e32base.h> |
|
32 |
|
33 /** General Security Definitions */ |
|
34 |
|
35 // Old keystore interface, deprecated ////////////////////////////////////////// |
|
36 |
|
37 /** |
|
38 * What a key can be used for. |
|
39 * The values this can take are defined in TKeyUsageVals. |
|
40 * |
|
41 * @publishedAll |
|
42 * @deprecated |
|
43 */ |
|
44 typedef TInt TKeyUsage; |
|
45 |
|
46 /** |
|
47 * What a key can be used for. |
|
48 * |
|
49 * These values can be ORed together if a key has several usages. EAllKeyUsages |
|
50 * is used when searching for all keys, rather than ones with a particular |
|
51 * usage. As these can be combined, TKeyUsage is used to store them. |
|
52 * |
|
53 * @publishedAll |
|
54 * @deprecated |
|
55 */ |
|
56 enum TKeyUsageVals |
|
57 { |
|
58 EDigitalSignature = 0x80000000, |
|
59 ENonRepudiation = 0x40000000, |
|
60 EKeyEncipherment = 0x20000000, |
|
61 EDataEncipherment = 0x10000000, |
|
62 EKeyAgreement = 0x08000000, |
|
63 EKeyCertSign = 0x04000000, |
|
64 ECRLSign = 0x02000000, |
|
65 EEncipherOnly = 0x01000000, |
|
66 EDecipherOnly = 0x00800000, |
|
67 EAllKeyUsages = -1 |
|
68 }; |
|
69 |
|
70 // End of deprecated keystore API ////////////////////////////////////////////// |
|
71 |
|
72 /** |
|
73 * What a key can be used for - PKCS#15 scheme. |
|
74 * |
|
75 * @publishedAll |
|
76 * @released |
|
77 */ |
|
78 enum TKeyUsagePKCS15 |
|
79 { |
|
80 EPKCS15UsageEncrypt = 0x001, |
|
81 EPKCS15UsageDecrypt = 0x002, |
|
82 EPKCS15UsageSign = 0x004, |
|
83 EPKCS15UsageSignRecover = 0x008, |
|
84 EPKCS15UsageWrap = 0x010, |
|
85 EPKCS15UsageUnwrap = 0x020, |
|
86 EPKCS15UsageVerify = 0x040, |
|
87 EPKCS15UsageVerifyRecover = 0x080, |
|
88 EPKCS15UsageDerive = 0x100, |
|
89 EPKCS15UsageNonRepudiation = 0x200, |
|
90 // Common combinations |
|
91 EPKCS15UsageEncryptWrap = 0x011, |
|
92 EPKCS15UsageVerifyVerifyRecover = 0x0C0, |
|
93 EPKCS15UsageDecryptUnwrap = 0x022, |
|
94 EPKCS15UsageSignSignRecover = 0x00C, |
|
95 EPKCS15UsageVerifyEncrypt = 0x0D1, |
|
96 EPKCS15UsageSignDecrypt = 0x02E, |
|
97 // For use in filters to return all keys |
|
98 EPKCS15UsageAll = 0xffffffff, |
|
99 EPKCS15UsageNone = 0x00000000 |
|
100 }; |
|
101 |
|
102 inline TKeyUsagePKCS15 operator|(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight); |
|
103 inline TKeyUsagePKCS15 operator&(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight); |
|
104 inline const TKeyUsagePKCS15& operator|=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight); |
|
105 inline const TKeyUsagePKCS15& operator&=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight); |
|
106 |
|
107 /** |
|
108 * What a key can be used for - X.509 scheme. |
|
109 * |
|
110 * @publishedAll |
|
111 * @released |
|
112 */ |
|
113 enum TKeyUsageX509 |
|
114 { |
|
115 EX509UsageDigitalSignature = 0x80000000, |
|
116 EX509UsageNonRepudiation = 0x40000000, |
|
117 EX509UsageKeyEncipherment = 0x20000000, |
|
118 EX509UsageDataEncipherment = 0x10000000, |
|
119 EX509UsageKeyAgreement = 0x08000000, |
|
120 EX509UsageKeyCertSign = 0x04000000, |
|
121 EX509UsageCRLSign = 0x02000000, |
|
122 EX509UsageEncipherOnly = 0x01000000, |
|
123 EX509UsageDecipherOnly = 0x00800000, |
|
124 // Values for commonly permitted combinations |
|
125 EX509UsageAnySign = 0x86000000, |
|
126 EX509UsageAllEncipher = 0x30000000, |
|
127 EX509UsageAllSignEncipher = 0xB6000000, |
|
128 /// For use in filters to return all keys |
|
129 EX509UsageAll = 0xffffffff, |
|
130 EX509UsageNone = 0x00000000 |
|
131 }; |
|
132 |
|
133 inline TKeyUsageX509 operator|(TKeyUsageX509 aLeft, TKeyUsageX509 aRight); |
|
134 inline TKeyUsageX509 operator&(TKeyUsageX509 aLeft, TKeyUsageX509 aRight); |
|
135 inline const TKeyUsageX509& operator|=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight); |
|
136 inline const TKeyUsageX509& operator&=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight); |
|
137 |
|
138 /** |
|
139 * |
|
140 * |
|
141 * @param aUsage |
|
142 * @return |
|
143 */ |
|
144 IMPORT_C TKeyUsageX509 KeyUsagePKCS15ToX509(TKeyUsagePKCS15 aUsage); |
|
145 |
|
146 /** |
|
147 * |
|
148 * |
|
149 * @param aUsage |
|
150 * @return |
|
151 */ |
|
152 IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Private(TKeyUsageX509 aUsage); |
|
153 |
|
154 /** |
|
155 * |
|
156 * |
|
157 * @param aUsage |
|
158 * @return |
|
159 */ |
|
160 IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Public(TKeyUsageX509 aUsage); |
|
161 |
|
162 /** |
|
163 * Supported types of certificate format. Note these must be only 1 byte long as |
|
164 * the file cert store only seralises them as 1 byte. |
|
165 * |
|
166 * @publishedAll |
|
167 * @released |
|
168 */ |
|
169 enum TCertificateFormat |
|
170 { |
|
171 EX509Certificate = 0x00, |
|
172 EWTLSCertificate = 0x01, |
|
173 EX968Certificate = 0x02, |
|
174 EUnknownCertificate = 0x0f, |
|
175 EX509CertificateUrl = 0x10, |
|
176 EWTLSCertificateUrl = 0x11, |
|
177 EX968CertificateUrl = 0x12 |
|
178 }; |
|
179 |
|
180 /** |
|
181 * The owner of a certificate. |
|
182 * |
|
183 * @publishedAll |
|
184 * @released |
|
185 */ |
|
186 enum TCertificateOwnerType |
|
187 { |
|
188 ECACertificate, |
|
189 EUserCertificate, |
|
190 EPeerCertificate |
|
191 }; |
|
192 |
|
193 /** The length of a SHA-1 hash |
|
194 * |
|
195 * @publishedAll |
|
196 * @released |
|
197 */ |
|
198 const TInt KSHA1HashLengthBytes = 20; |
|
199 |
|
200 /** |
|
201 * A SHA-1 hash. |
|
202 * |
|
203 * @publishedAll |
|
204 * @released |
|
205 */ |
|
206 typedef TBuf8<KSHA1HashLengthBytes> TSHA1Hash; |
|
207 |
|
208 //const TInt KMD5HashLengthBytes = 16; |
|
209 //typedef TMD5Hash TBufC8<KMD5HashLengthBytes>; |
|
210 |
|
211 /** |
|
212 * A SHA-1 hash is also used as a key identifier. |
|
213 * |
|
214 * @publishedAll |
|
215 * @released |
|
216 */ |
|
217 typedef TSHA1Hash TKeyIdentifier; |
|
218 |
|
219 /** |
|
220 * Errors that can occur when validating a certificate chain. |
|
221 * |
|
222 * Except EValidatedOK, all these are fatal errors unless specified. |
|
223 * |
|
224 * @publishedAll |
|
225 * @released |
|
226 */ |
|
227 enum TValidationError |
|
228 { |
|
229 /** Validation OK */ |
|
230 EValidatedOK, |
|
231 /** Certificate chain has no root */ |
|
232 EChainHasNoRoot, |
|
233 /** Invalid signature */ |
|
234 ESignatureInvalid, |
|
235 /** Date out of range */ |
|
236 EDateOutOfRange, |
|
237 /** Name is excluded */ |
|
238 ENameIsExcluded, |
|
239 /** Name is not permitted */ |
|
240 ENameNotPermitted, //subtle difference here! |
|
241 /** Not a CA certificate */ |
|
242 ENotCACert, |
|
243 /** Certificate revoked */ |
|
244 ECertificateRevoked, |
|
245 /** Unrecognized critical extension */ |
|
246 EUnrecognizedCriticalExtension, |
|
247 /** No basic constraint in CA certificate */ |
|
248 ENoBasicConstraintInCACert, |
|
249 /** No acceptable policy */ |
|
250 ENoAcceptablePolicy, |
|
251 /** Path too long */ |
|
252 EPathTooLong, |
|
253 /** Negative path length specified */ |
|
254 ENegativePathLengthSpecified, |
|
255 /** Names do not chain */ |
|
256 ENamesDontChain, |
|
257 /** Required policy not found */ |
|
258 ERequiredPolicyNotFound, |
|
259 /** Bad key usage */ |
|
260 EBadKeyUsage, |
|
261 /** |
|
262 * Root certificate not self-signed. |
|
263 * |
|
264 * We cannot tell if this is fatal or not, as we lack the context. |
|
265 */ |
|
266 ERootCertNotSelfSigned, |
|
267 /** |
|
268 * Critical extended key usage |
|
269 * |
|
270 * We cannot tell if this is fatal or not, as we lack the context. |
|
271 */ |
|
272 ECriticalExtendedKeyUsage, |
|
273 /** |
|
274 * Critical certificate policies with qualifiers |
|
275 * |
|
276 * We cannot tell if this is fatal or not, as we lack the context. |
|
277 */ |
|
278 ECriticalCertPoliciesWithQualifiers, |
|
279 /** |
|
280 * Critical policy mapping |
|
281 * |
|
282 * We cannot tell if this is fatal or not, as we lack the context. |
|
283 */ |
|
284 ECriticalPolicyMapping, |
|
285 /** |
|
286 * Critical Device Id |
|
287 * |
|
288 * We cannot tell if this is fatal or not, as we lack the context. |
|
289 */ |
|
290 ECriticalDeviceId, |
|
291 /** |
|
292 * Critical Sid |
|
293 * |
|
294 * We cannot tell if this is fatal or not, as we lack the context. |
|
295 */ |
|
296 ECriticalSid, |
|
297 /** |
|
298 * Critical Vid |
|
299 * |
|
300 * We cannot tell if this is fatal or not, as we lack the context. |
|
301 */ |
|
302 ECriticalVid, |
|
303 /** |
|
304 * Critical Capabilities |
|
305 * |
|
306 * We cannot tell if this is fatal or not, as we lack the context. |
|
307 */ |
|
308 ECriticalCapabilities |
|
309 }; |
|
310 |
|
311 // Certificate Applicability UIDs |
|
312 |
|
313 /** |
|
314 * This UID is associated with certificates which are trusted for |
|
315 * software installation of native applications. |
|
316 * |
|
317 * @see MCertStore::Applications |
|
318 * @see MCTWritableCertStore::SetApplicability |
|
319 * |
|
320 * @publishedPartner |
|
321 * @released |
|
322 */ |
|
323 const TUid KSwiApplicabilityUid = {0x100042AB}; |
|
324 |
|
325 /** |
|
326 * This UID is associated with certificates which are trusted for |
|
327 * OCSP checks. |
|
328 * |
|
329 * @see MCertStore::Applications |
|
330 * @see MCTWritableCertStore::SetApplicability |
|
331 * |
|
332 * @publishedPartner |
|
333 * @released |
|
334 */ |
|
335 const TUid KSwiOcspApplicabilityUid = {0x1000A8B6}; |
|
336 |
|
337 /** |
|
338 * This UID is associated with certificates which are trusted for |
|
339 * Java midlet installation. |
|
340 * |
|
341 * @see MCertStore::Applications |
|
342 * @see MCTWritableCertStore::SetApplicability |
|
343 * |
|
344 * @publishedPartner |
|
345 * @released |
|
346 */ |
|
347 const TUid KMidletInstallApplicabilityUid = {0x101F9B28}; |
|
348 |
|
349 /** |
|
350 * This UID is associated with certificates which are trusted for |
|
351 * SSL/TLS connectivity. |
|
352 * |
|
353 * @see MCertStore::Applications |
|
354 * @see MCTWritableCertStore::SetApplicability |
|
355 * |
|
356 * @publishedPartner |
|
357 * @released |
|
358 */ |
|
359 const TUid KTlsApplicabilityUid = {0x1000183D}; |
|
360 |
|
361 /** |
|
362 * This OID is associated with X.509 certificates |
|
363 * trusted for TLS WWW server authentication. |
|
364 * |
|
365 * @publishedPartner |
|
366 * @released |
|
367 */ |
|
368 _LIT(KServerAuthOID,"1.3.6.1.5.5.7.3.1"); |
|
369 |
|
370 /** |
|
371 * This OID is associated with X.509 certificates |
|
372 * trusted for TLS WWW client authentication. |
|
373 * |
|
374 * @publishedPartner |
|
375 * @released |
|
376 */ |
|
377 // SSL Client |
|
378 _LIT(KClientAuthOID,"1.3.6.1.5.5.7.3.2"); |
|
379 |
|
380 /** |
|
381 * This OID is associated with X.509 certificates |
|
382 * trusted for signing of downloadable executable code. |
|
383 * |
|
384 * @publishedPartner |
|
385 * @released |
|
386 */ |
|
387 _LIT(KCodeSigningOID,"1.3.6.1.5.5.7.3.3"); |
|
388 |
|
389 /** |
|
390 * This OID is associated with X.509 certificates |
|
391 * trusted for email protection . |
|
392 * |
|
393 * @publishedPartner |
|
394 * @released |
|
395 */ |
|
396 _LIT(KEmailProtectionOID,"1.3.6.1.5.5.7.3.4"); |
|
397 |
|
398 /** |
|
399 * This OID is associated with X.509 certificates |
|
400 * trusted for Ipsec end system. |
|
401 * |
|
402 * @publishedPartner |
|
403 * @released |
|
404 */ |
|
405 _LIT(KIpsecEndSystemOID,"1.3.6.1.5.5.7.3.5"); |
|
406 |
|
407 /** |
|
408 * This OID is associated with X.509 certificates |
|
409 * trusted for Ipsec tunnel. |
|
410 * |
|
411 * @publishedPartner |
|
412 * @released |
|
413 */ |
|
414 _LIT(KIpsecTunnelOID,"1.3.6.1.5.5.7.3.6"); |
|
415 |
|
416 /** |
|
417 * This OID is associated with X.509 certificates |
|
418 * trusted for Ipsec user. |
|
419 * |
|
420 * @publishedPartner |
|
421 * @released |
|
422 */ |
|
423 _LIT(KIpsecUserOID, "1.3.6.1.5.5.7.3.7"); |
|
424 |
|
425 /** |
|
426 * This OID is associated with X.509 certificates |
|
427 * trusted for binding the hash of an object to a time. |
|
428 * |
|
429 * @publishedPartner |
|
430 * @released |
|
431 */ |
|
432 _LIT(KTimeStampingOID,"1.3.6.1.5.5.7.3.8"); |
|
433 |
|
434 /** |
|
435 * This OID is associated with X.509 certificates |
|
436 * trusted for signing OCSP responses. |
|
437 * |
|
438 * @publishedPartner |
|
439 * @released |
|
440 */ |
|
441 _LIT(KOCSPSigningOID,"1.3.6.1.5.5.7.3.9"); |
|
442 |
|
443 |
|
444 |
|
445 #include "securitydefs.inl" |
|
446 |
|
447 #endif |