/*
* Copyright (c) 2003-2009 Nokia Corporation and/or its subsidiary(-ies).
* All rights reserved.
* This component and the accompanying materials are made available
* under the terms of "Eclipse Public License v1.0"
* which accompanies this distribution, and is available
* at the URL "http://www.eclipse.org/legal/epl-v10.html".
*
* Initial Contributors:
* Nokia Corporation - initial contribution.
*
* Contributors:
*
* Description: PKI store and Certificate verification interface for IKEv1
* plug-in
*
*/
#ifndef C_IKEV1PKISERVICE_H
#define C_IKEV1PKISERVICE_H
#include <e32base.h>
#include <asn1dec.h>
#include "pkiserviceapi.h"
#include "ikepolparser.h"
class CX509Certificate;
class TASN1DecGeneric;
class CIkeData;
class CIkeCaList;
class TCertPayloadIkev2;
class TCReqPayloadIkev2;
class TCertificateISAKMP;
class MIkePlugInServices;
class MIkeDebug;
class CIkeCaElem;
//
// CIkeV1PkiService Class
//
class CIkeV1PkiService : public CBase
{
public:
IMPORT_C static CIkeV1PkiService* NewL( CIkeData* aIkeData,
MIkeDebug& aDebug );
IMPORT_C ~CIkeV1PkiService();
IMPORT_C TBool ImportCACertsL(CArrayFixFlat<TCertInfo*> *aCAList);
IMPORT_C TInt ReadUserCertWithNameL(const TDesC8& aTrustedCaName, CIkeData* aIkeData, TBool aDnType);
IMPORT_C TInt Ikev1SignatureL(const TDesC8& aTrustedCaName, CIkeData* aIkeData, const TDesC8& aHashIn, TDes8& aSignature);
IMPORT_C CIkeCaList* CaList();
IMPORT_C HBufC8* GetCertificate();
IMPORT_C HBufC8* GetTrustedCA();
IMPORT_C HBufC8* GetTrustedICA1();
IMPORT_C HBufC8* GetTrustedICA2();
IMPORT_C TInt ReadChainL(CIkeData* aIkeData, const HBufC8* aCAName);
private:
CIkeV1PkiService( CIkeData* aIkeData,
MIkeDebug& aDebug );
void ConstructL();
TInt ComputeSignatureL(const TDesC8& aTrustedAuthority, const TDesC8& aHashIn, TDes8& aSignature, TBool aRsaSignature);
TInt ReadCertificateL(const TDesC8& aTrustedAuthority, TBool aGetCACert);
/**
* Initialized user certificate identification member variables.
* The information is taken from the policy file.
* Only the ID data, which is available is set, other
* data is zeroed.
*
* @result the size of the key, if available in the policy, zero otherwise.
*/
TUint InitUserCertIdentDataL();
TBool GetNextCaElemL();
TBool AddNextCaElemL(TInt& aStatus);
TInt GetNextCertificateL();
TBool CertificateReadL(TInt& aStatus);
TInt ReadCertificateL(const TPKIKeyIdentifier& aKeyIdentifier);
TInt ReadCertificateListL();
TInt GetCertificateWithKeyIdL(const TDesC16& aKeyIdString);
TBool GetApplUidListL(const TDesC16& aApplUidString);
TBool ApplUidCertListCompletedL(TInt aStatus);
TBool ReadNextInListL();
#ifdef _DEBUG
void CertReadCompleted(TBool aCaCert, TInt aStatus, TInt aLine );
void HexToString(const TDesC8& aKeyId, TDes16& aKeyIdString);
#endif
private:
TInt iOperation; // Current operation ongoing
RPKIServiceAPI iPkiService; // PKI Service handle
CIkeCaList* iTrustedCAList; // Trusted CA certificate list
TInt iCurrIndex; // Current index in name list
CArrayFixFlat<TCertInfo*>* iCaNameList; // CA name list delivered
HBufC8* iCaName; // Ca name work buffer
HBufC8* iCa2Name; // Level 1 Intermediate Certificate
HBufC8* iCa1Name; // Level 2 Intermediate Certificate
CIkeData* iIkeData; // Current policy data object
RPointerArray<CIkeCaElem> iCasTrustedByPeer; // CA name list delivered
HBufC8* iReadCertificate; // Certificate stream
HBufC8* iReadCertificateOrig; // Certificate stream of original own certificate
HBufC8* iSubjName; // Subject alt name buffer
HBufC8* iRfc822Name; // RFC822 name buffer
TPtr8 iCertPtr; // For Pkiserviceapi calls
TAny* iResArray; // For Pkiserviceapi calls
TBool iReallocated; // Certificate buffer enlarged
TInt iCertBfrSize; // Certificate buffer size
TPKIKeyIdentifier iCertKeyId; // Certficate keyid
RArray<TUid>* iApplUidList; // Application UID list
CArrayFix<TCertificateListEntry>* iCaCertList; // Applicable CA cert list
TInt iListIndex; // Current index in CA cert list
TBool iUserCertDerType; //0=ASCII, 1=DER
MIkeDebug& iDebug;
};
//
// CIkePkiService operation codes (iOperation)
//
const TInt KNoOperation = 0;
const TInt KBuildingCaList = 1;
const TInt KReadingCertificate = 2;
const TInt KProcessingApplUidList = 3;
const TInt KBuildingApplUidList = 4;
const TInt KSigning = 5;
const TInt KDecrypting = 6;
//
// Certificate field indicators for GetCertificateFieldDERL()
//
#define IKEV2_CERT_KEYID_SIZE 20
//
//Extra Errors for IkeCert::VerifyCertificateL()
//
const TInt KCertVerifyErrBadType = 1;
const TInt KCertVerifyErrNotValidYet = 2;
const TInt KCertVerifyErrExpired = 3;
const TInt KCertVerifyWithinMargin = 4;
const TInt KCertVerifyCriticalExt = 5;
const TInt KCertVerifyKeyUsageErr = 6;
const TInt KCertVerifyCACertificate = 7;
const TInt KDefaultErrorMargin = 3600; // Default error marginal in Validity
const TInt KSha1hashLth = 20;
const TInt KCertKeyIdLth = 20; // Certificate Key Identifier length = Length of SHA1 hash
#endif // C_IKEV1PKISERVICE_H