|
1 /* |
|
2 * Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * Developer mode certificate constraints implementation. |
|
16 * |
|
17 */ |
|
18 |
|
19 |
|
20 /** |
|
21 @file |
|
22 @released |
|
23 @internalTechnology |
|
24 */ |
|
25 |
|
26 #include "certchainconstraints.h" |
|
27 #include "x509constraintext.h" |
|
28 #include <x509certext.h> |
|
29 //#include "log.h" |
|
30 |
|
31 using namespace Swi; |
|
32 |
|
33 // |
|
34 // CCertChainConstraints methods. |
|
35 // |
|
36 |
|
37 EXPORT_C CCertChainConstraints* CCertChainConstraints::NewL(RPointerArray<CPKIXCertChainBase>& aValidCerts) |
|
38 { |
|
39 CCertChainConstraints* self = CCertChainConstraints::NewLC(aValidCerts); |
|
40 CleanupStack::Pop(self); |
|
41 return self; |
|
42 } |
|
43 |
|
44 EXPORT_C CCertChainConstraints* CCertChainConstraints::NewLC(RPointerArray<CPKIXCertChainBase>& aValidCerts) |
|
45 { |
|
46 CCertChainConstraints* self = new(ELeave) CCertChainConstraints(); |
|
47 CleanupStack::PushL(self); |
|
48 self->ConstructL(aValidCerts); |
|
49 return self; |
|
50 } |
|
51 |
|
52 EXPORT_C CCertChainConstraints* CCertChainConstraints::NewL() |
|
53 { |
|
54 CCertChainConstraints* self = new(ELeave) CCertChainConstraints(); |
|
55 return self; |
|
56 } |
|
57 |
|
58 CCertChainConstraints::~CCertChainConstraints() |
|
59 { |
|
60 //Release the resources |
|
61 iValidSIDs.Close(); |
|
62 iValidVIDs.Close(); |
|
63 iValidDeviceIDs.ResetAndDestroy(); |
|
64 } |
|
65 |
|
66 EXPORT_C TBool CCertChainConstraints::SIDIsValid(TSecureId aRequestSID) const |
|
67 { |
|
68 TBool ret=ETrue; |
|
69 if (iSIDsAreConstrained && (aRequestSID.iId & 0x80000000)==0 && KErrNotFound==iValidSIDs.Find(aRequestSID)) |
|
70 { |
|
71 ret=EFalse; |
|
72 } |
|
73 return ret; |
|
74 } |
|
75 |
|
76 EXPORT_C TBool CCertChainConstraints::VIDIsValid(TVendorId aRequestVID) const |
|
77 { |
|
78 TBool ret=ETrue; |
|
79 if (iVIDsAreConstrained && aRequestVID!=0 && KErrNotFound==iValidVIDs.Find(aRequestVID)) |
|
80 { |
|
81 ret=EFalse; |
|
82 } |
|
83 return ret; |
|
84 } |
|
85 |
|
86 EXPORT_C TBool CCertChainConstraints::CapabilitiesAreValid(TCapabilitySet& aRequestCapabilities) const |
|
87 { |
|
88 return iValidCapabilities.HasCapabilities(aRequestCapabilities); |
|
89 } |
|
90 |
|
91 EXPORT_C TBool CCertChainConstraints::DeviceIDIsValid(const HBufC* aRequestDeviceID) const |
|
92 { |
|
93 TBool ret=EFalse; |
|
94 if (iDeviceIDsAreConstrained) |
|
95 { |
|
96 TInt deviceIDCount=iValidDeviceIDs.Count(); |
|
97 //Check if request Device ID is in the valid device ID list |
|
98 for(TInt i=0; i<deviceIDCount; i++) |
|
99 { |
|
100 if (iValidDeviceIDs[i]->CompareF(*aRequestDeviceID)==0) |
|
101 { |
|
102 ret=ETrue; |
|
103 break; |
|
104 } |
|
105 } |
|
106 } |
|
107 else |
|
108 { |
|
109 //No constaints on Device ID at all |
|
110 ret=ETrue; |
|
111 } |
|
112 return ret; |
|
113 } |
|
114 |
|
115 EXPORT_C TBool CCertChainConstraints::SIDsAreConstrained() const |
|
116 { |
|
117 return iSIDsAreConstrained; |
|
118 } |
|
119 |
|
120 EXPORT_C TBool CCertChainConstraints::VIDsAreConstrained() const |
|
121 { |
|
122 return iVIDsAreConstrained; |
|
123 } |
|
124 |
|
125 EXPORT_C TBool CCertChainConstraints::DeviceIDsAreConstrained() const |
|
126 { |
|
127 return iDeviceIDsAreConstrained; |
|
128 } |
|
129 |
|
130 EXPORT_C TBool CCertChainConstraints::CapabilitiesAreConstrained() const |
|
131 { |
|
132 return iCapabilitiesAreConstrained; |
|
133 } |
|
134 |
|
135 EXPORT_C const TCapabilitySet& CCertChainConstraints::ValidCapabilities() const |
|
136 { |
|
137 return iValidCapabilities; |
|
138 } |
|
139 |
|
140 EXPORT_C void CCertChainConstraints::SetValidCapabilities(const TCapabilitySet& aValidCapabilities) |
|
141 { |
|
142 iValidCapabilities=aValidCapabilities; |
|
143 } |
|
144 |
|
145 CCertChainConstraints::CCertChainConstraints() |
|
146 { |
|
147 //Pre-initialise the valid Capability to all capability supported |
|
148 iValidCapabilities.SetAllSupported(); |
|
149 } |
|
150 |
|
151 void CCertChainConstraints::ConstructL(RPointerArray<CPKIXCertChainBase>& aValidCerts) |
|
152 { |
|
153 //Get the Cert Chain count |
|
154 TInt certChainCount=aValidCerts.Count(); |
|
155 |
|
156 //Go through the certificate chains |
|
157 for(TInt i=0; i<certChainCount; i++) |
|
158 { |
|
159 TInt certCount=aValidCerts[i]->Count(); |
|
160 //Go through the certificate in one certificate chain |
|
161 for (TInt j=0; j<certCount; j++) |
|
162 { |
|
163 const CX509Certificate& validCert=aValidCerts[i]->Cert(j); |
|
164 |
|
165 //Retrieve the DeviceIDs and build the list |
|
166 RetrieveExtensionDeviceIDListL(validCert); |
|
167 |
|
168 //Retrieve the Capabilities and build capability constraints |
|
169 RetrieveExtensionCapabilitySetL(validCert); |
|
170 |
|
171 //Retrieve the SIDs and build the list |
|
172 RetrieveExtensionSIDListL(validCert); |
|
173 |
|
174 //Retrieve the VIDs and build the list |
|
175 RetrieveExtensionVIDListL(validCert); |
|
176 } |
|
177 } |
|
178 } |
|
179 |
|
180 void CCertChainConstraints::RetrieveExtensionCapabilitySetL(const CX509Certificate& aCert) |
|
181 { |
|
182 const CX509CertExtension* certExt = aCert.Extension(KCapabilitiesConstraint); |
|
183 if (certExt) |
|
184 { |
|
185 CX509CapabilitySetExt* capSetExt=CX509CapabilitySetExt::NewL(certExt->Data()); |
|
186 iValidCapabilities.Intersection(capSetExt->CapabilitySet()); |
|
187 delete capSetExt; |
|
188 iCapabilitiesAreConstrained=ETrue; |
|
189 } |
|
190 } |
|
191 |
|
192 TBool CompareInstance(const HBufC& aFirst, const HBufC& aSecond) |
|
193 { |
|
194 return (aFirst.CompareF(aSecond) == 0); |
|
195 } |
|
196 |
|
197 void CCertChainConstraints::RetrieveExtensionDeviceIDListL(const CX509Certificate& aCert) |
|
198 { |
|
199 if (!iDeviceIDsAreConstrained || (iDeviceIDsAreConstrained && iValidDeviceIDs.Count()>0)) |
|
200 { |
|
201 const CX509CertExtension* certExt = aCert.Extension(KDeviceIdListConstraint); |
|
202 if (certExt) |
|
203 { |
|
204 CX509Utf8StringListExt* deviceIdExt=CX509Utf8StringListExt::NewLC(certExt->Data()); |
|
205 const RPointerArray<HBufC>& buf=deviceIdExt->StringArray(); |
|
206 // iValidDeviceIDs intersect the constrained Device ID set in the certificate |
|
207 if (!iDeviceIDsAreConstrained) |
|
208 { |
|
209 TInt count=buf.Count(); |
|
210 for (TInt i=0;i<count;i++) |
|
211 { |
|
212 HBufC* temp=buf[i]->AllocLC(); |
|
213 iValidDeviceIDs.AppendL(temp); |
|
214 CleanupStack::Pop(temp); |
|
215 } |
|
216 iDeviceIDsAreConstrained=ETrue; |
|
217 } |
|
218 else |
|
219 { |
|
220 for (TInt k=iValidDeviceIDs.Count()-1;k>=0;k--) |
|
221 { |
|
222 if(KErrNotFound==buf.Find(iValidDeviceIDs[k],TIdentityRelation<HBufC>(CompareInstance))) |
|
223 { |
|
224 HBufC* temp=iValidDeviceIDs[k]; |
|
225 iValidDeviceIDs.Remove(k); |
|
226 delete temp; |
|
227 } |
|
228 } |
|
229 } |
|
230 CleanupStack::PopAndDestroy(deviceIdExt); |
|
231 } |
|
232 } |
|
233 } |
|
234 |
|
235 void CCertChainConstraints::RetrieveExtensionSIDListL(const CX509Certificate& aCert) |
|
236 { |
|
237 if (!iSIDsAreConstrained || (iSIDsAreConstrained && iValidSIDs.Count()>0)) |
|
238 { |
|
239 const CX509CertExtension* certExt=aCert.Extension(KSidListConstraint); |
|
240 if (certExt) |
|
241 { |
|
242 CX509IntListExt* intExt=CX509IntListExt::NewLC(certExt->Data()); |
|
243 const RArray<TInt>& sidList=intExt->IntArray(); |
|
244 // iValidSIDs intersect the constrained sid set in the certificate |
|
245 if (!iSIDsAreConstrained) |
|
246 { |
|
247 TInt count=sidList.Count(); |
|
248 for (TInt i=0;i<count;i++) |
|
249 { |
|
250 iValidSIDs.AppendL(TSecureId(sidList[i])); |
|
251 } |
|
252 iSIDsAreConstrained=ETrue; |
|
253 } |
|
254 else |
|
255 { |
|
256 for (TInt k=iValidSIDs.Count()-1;k>=0;k--) |
|
257 { |
|
258 if (sidList.Find(iValidSIDs[k].iId)==KErrNotFound) |
|
259 { |
|
260 iValidSIDs.Remove(k); |
|
261 } |
|
262 } |
|
263 } |
|
264 CleanupStack::PopAndDestroy(intExt); |
|
265 } |
|
266 } |
|
267 } |
|
268 |
|
269 void CCertChainConstraints::RetrieveExtensionVIDListL(const CX509Certificate& aCert) |
|
270 { |
|
271 if (!iVIDsAreConstrained || (iVIDsAreConstrained && iValidVIDs.Count()>0)) |
|
272 { |
|
273 const CX509CertExtension* certExt=aCert.Extension(KVidListConstraint); |
|
274 if (certExt) |
|
275 { |
|
276 CX509IntListExt* intExt=CX509IntListExt::NewLC(certExt->Data()); |
|
277 const RArray<TInt>& vidList=intExt->IntArray(); |
|
278 // iValidVIDs intersect the constrained vid set in the certificate |
|
279 if (!iVIDsAreConstrained) |
|
280 { |
|
281 TInt count=vidList.Count(); |
|
282 for (TInt i=0;i<count;i++) |
|
283 { |
|
284 iValidVIDs.AppendL(TVendorId(vidList[i])); |
|
285 } |
|
286 iVIDsAreConstrained=ETrue; |
|
287 } |
|
288 else |
|
289 { |
|
290 for (TInt k=iValidVIDs.Count()-1;k>=0;k--) |
|
291 { |
|
292 if (vidList.Find(iValidVIDs[k].iId)==KErrNotFound) |
|
293 { |
|
294 iValidVIDs.Remove(k); |
|
295 } |
|
296 } |
|
297 } |
|
298 CleanupStack::PopAndDestroy(intExt); |
|
299 } |
|
300 } |
|
301 } |
|
302 |