diff -r 000000000000 -r 164170e6151a pkiutilities/ocsp/inc/validator.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/pkiutilities/ocsp/inc/validator.h Tue Jan 26 15:20:08 2010 +0200 @@ -0,0 +1,156 @@ +// Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies). +// All rights reserved. +// This component and the accompanying materials are made available +// under the terms of "Eclipse Public License v1.0" +// which accompanies this distribution, and is available +// at the URL "http://www.eclipse.org/legal/epl-v10.html". +// +// Initial Contributors: +// Nokia Corporation - initial contribution. +// +// Contributors: +// +// Description: +// request.h +// Header for OCSP validator object. +// +// + +/** + @file + @internalComponent +*/ + +#ifndef __OCSP_VALIDATOR_H__ +#define __OCSP_VALIDATOR_H__ + +#include +#include "ocsprequestandresponse.h" +/** + * Validator. Used to verify the legitimacy of an OCSP response, and the + * certificates therein. May specify time for certificate validation - if + * omitted, the producedAt time in the response is used instead. + */ + +NONSHARABLE_CLASS(COCSPValidator) : public CActive + { +public: + static COCSPValidator* NewL( const COCSPParameters& aParameters); + + ~COCSPValidator(); + + /** + * Specify Authorisation scheme(s) - doesn't take ownership + */ + + void AddAuthorisationSchemeL(MOCSPAuthorisationScheme& aScheme); + + /** + * Specify the authorisation time (NULL => use producedAt from response) + * Default is to use producedAt. + */ + + void SetValidationTimeL(const TTime* aValidationTime); + + /** + * Specify the permissable maximum age of the thisUpdate field in + * seconds. zero => don't check, default is 30 days. + */ + + void SetMaxStatusAge(TUint aMaxAge); + + /** + * Specify how much leeway we allow when comparing times - if we're using + * the device clock, this allows for the fact that it may be out by a + * certain amount. Default is 5 seconds. + */ + + void SetTimeLeeway(TUint aLeewaySeconds); + + /** + * Validate a request/response pair, setting aOutcome to the result. + * This is an asynchronous method. + */ + + void Validate(const COCSPRequest& aRequest, COCSPResponse& aResponse, + TOCSPOutcome& aOutcome, TRequestStatus& aStatus); + +protected: + virtual void DoCancel(); + virtual void RunL(); + virtual TInt RunError(TInt aError); + + private: + void ConstructL(); + COCSPValidator( const COCSPParameters& aParameters); + + void DoValidateL(const COCSPRequest& aRequest, COCSPResponse& aResponse, + TOCSPOutcome& aOutcome, TRequestStatus& aStatus); + + // Specific validation areas - return false if we should give up now. + TBool IsResponseWellFormed(); // Checks correct certs present in response. + TBool ValidateTimeL(); + TBool ValidateNonce(); + + void ProcessSchemeValidationL(); + void CheckSchemeValidationL(); + void FinalResponseValidationL(); + + TTime ValidationTime() const; + + TBool TimeIsBeforeL(const TTime& aBefore, const TTime& aAfter); + + void SendResponderCertL(); + void ValidateResponderCertL(); + + OCSP::TResult CheckOCSPStatus(const COCSPResponse* aResponse) const; + +private: + + // Array of integers, giving for each cert in the response the corresponding position in + // the request + RArray iRequestIndex; + + const COCSPRequest* iRequest; + COCSPResponse* iResponse; + + // User-supplied time for validation + TTime* iValidationTime; + + // How old to allow thisUpdate to be + TUint iMaxStatusAge; + + // Authorisation objects + RPointerArray iAuthorisationScheme; + + TOCSPOutcome* iOutcome; + TRequestStatus* iValidationStatus; + + enum TState + { + EValidating, + EWaitingResponse, + EValidateResponderCert, + }; + + TState iState; + + // index of the last authorisation scheme we used + TInt iIndexScheme; + + TUint iLeewaySeconds; + + TBool iResponderCertCheck; + TBool iUseNonce; + // ownership lies with the relevant auth scheme + const CX509Certificate* iResponderCert; + const CX509Certificate* iIssuerCert; + COCSPRequest* iResponderCertRequest; + COCSPResponse* iResponderCertResponse; + COCSPTransaction* iTransaction; + // ownership lies with COCSPClient + const COCSPParameters* iParameters; + MOCSPAuthorisationScheme* iSchemeInUse; + }; + +#endif