1 // Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies).

     2 // All rights reserved.

     3 // This component and the accompanying materials are made available

     4 // under the terms of "Eclipse Public License v1.0"

     5 // which accompanies this distribution, and is available

     6 // at the URL "http://www.eclipse.org/legal/epl-v10.html".

     7 //

     8 // Initial Contributors:

     9 // Nokia Corporation - initial contribution.

    10 //

    11 // Contributors:

    12 //

    13 // Description:

    14 // Define methods for authorisation scheme based on the CA who issued the certificate

    15 // issues and signs the response.

    16 // 

    17 //

    18 

    19 #include "ocsp.h"

    20 #include "panic.h"

    21 #include <pkixcertchain.h>

    22 #include <asn1dec.h>

    23 #include <x509keys.h>

    24 #include <x509cert.h>

    25 #include "ocsprequestandresponse.h"

    26 

    27 

    28 EXPORT_C COCSPCaDirectAuthorisationScheme* COCSPCaDirectAuthorisationScheme::NewLC()

    29 	{

    30 	COCSPCaDirectAuthorisationScheme* self = new(ELeave) COCSPCaDirectAuthorisationScheme();

    31 	CleanupStack::PushL(self);

    32 	return self;

    33 	}

    34 

    35 /**

    36 	Validate the response if it is signed by the CA.  The response can

    37 	optionally contain a copy of the CA's certificate.

    38 */

    39 void COCSPCaDirectAuthorisationScheme::ValidateL(OCSP::TStatus& aOCSPStatus,

    40 	COCSPResponse& aResponse, const TTime /* aValidationTime */, TRequestStatus& aStatus,

    41 	const COCSPRequest& aRequest)

    42 	{

    43 	TRequestStatus* validatorReqStatus = &aStatus;

    44 	aOCSPStatus = OCSP::EResponseSignatureValidationFailure;

    45 

    46 	// the OCSP requests are constructed in

    47 	// COCSPClient::ConstructL that exactly one certificate

    48 	// and its signer are sent in each request.

    49 	// (RFC 2560 S4.1.1 allows multiple pairs)

    50 	

    51 	// check the response is actually signed by the CA

    52 	// this effectively tests the same condition.

    53 	// By assuming there is only one request / response pair,

    54 	// there is no need to iterate through each response, which

    55 	// simplifies this scheme's implementation.

    56 

    57 	if (DoValidateL(aRequest, aResponse ))

    58 		{

    59 		aOCSPStatus = OCSP::EValid;

    60 		}

    61 	User::RequestComplete(validatorReqStatus, KErrNone);

    62 	};

    63 

    64 /**

    65 	Checks if the response is signed by the CA.

    66 	If the response has a certificate chain, it must contain

    67 	exactly the CA cert.  It is acceptable for the response

    68 	to have no certificate chain.

    69 

    70 	The responder ID in the certificate must match the CA cert,

    71 	and the whole response must be signed by the CA cert's signer.

    72 */

    73 TBool COCSPCaDirectAuthorisationScheme::DoValidateL(

    74 	const COCSPRequest& aRequest, COCSPResponse& aResponse)

    75 {

    76 	// check the response contains either zero or one certificates.

    77 	// If the response contains a certificate, then it must be the

    78 	// same as the CA.

    79 

    80 	// get the intermediate which signed the EE

    81 	const CX509Certificate& caCert = aRequest.CertInfo(0).Issuer();

    82 	

    83 	// Retrieves the chain from the response of the responder certificate

    84 	// whic signed the response.

    85 	const TPtrC8* certChainData = aResponse.DataElementEncoding(COCSPResponse::ECertificateChain);

    86 	if (certChainData != 0)

    87 		{

    88 		if (! CertChainMatchesCertL(*certChainData, caCert))

    89 			return EFalse;

    90 		}

    91 

    92 	return

    93 			OCSPUtils::DoesResponderIdMatchCertL(aResponse, caCert)

    94 		&&	OCSPUtils::IsResponseSignedByCertL(&aResponse, caCert);

    95 }

    96 

    97 /**

    98 	Checks whether the encoded cert chain contains exactly

    99 	one cert which matches the supplied cert.

   100 

   101 	This is used to verify that, when a cert chain is sent with

   102 	the response, it contains exactly the CA cert.

   103 

   104 	@param	aCertChainData	DER-encoded certificate chain data

   105 							extracted from response.

   106 	@param	aCert			Certificate to look for.

   107 	@return					ETrue if the certificate chain contains

   108 							exactly one response which matches

   109 							aCert; EFalse otherwise.

   110  */

   111 TBool COCSPCaDirectAuthorisationScheme::CertChainMatchesCertL(

   112 	const TDesC8& aCertChainData, const CX509Certificate& aCert)

   113 	{

   114 	// here we cannot assume that the response contains only the CA certificate,

   115 	// which signed the response as that can be a subordinate CA, so the chain

   116 	// can be like RCA(root CA) -> ICA(intermediate CA) -> SCA (sub-ordinate CA)

   117 	// we need to retrieve the SCA for this verification.

   118 	CX509Certificate* respCert = OCSPUtils::GetResponderCertLC(aCertChainData);

   119 	TBool match = aCert.IsEqualL(*respCert);

   120 	CleanupStack::PopAndDestroy(respCert);

   121 	return match;

   122 	}

   123 

   124 /**

   125 	This is a no-op because this implementation is not an

   126 	active object.

   127  */

   128 void COCSPCaDirectAuthorisationScheme::CancelValidate()

   129 	{}

   130 

   131 const CX509Certificate* COCSPCaDirectAuthorisationScheme::ResponderCert() const	

   132 	{

   133 	return NULL;

   134 	}