FCL/sf/os/security: comparison cryptomgmtlibs/securitydocs/ocsp.txt

equal deleted inserted replaced

-:c11c717470d0
+:11c66574c2a2
-How to use OSCP
-===============
-Note: The actual code snippets are indented.
-Include ocsp.h in your header file.
-	#include <ocsp.h>
-Link your project with ocsp.lib: add the following string to your project's .mmp
-file:
-	LIBRARY ocsp.lib
-Add the following to your class declaration, which should be derived from
-CActive:
-	COcspClient* iOcspClient;
-You will need to know revocation server URI. It is possible to get it from
-installer preferences. Most Software Install components accept the URI as a
-construction parameter. This is because they are started by the UI which stores
-preferences in its resource file. If you want to retrieve it yourself, you can
-use the following code (taken from InstallEngineImpl.cpp):
-	//	Open instapp's ini file
-	static CDictionaryStore* OpenIniFileLC(RFs& aFs)
-		{
-		CApaAppFinder* appFinder=CApaScanningAppFinder::NewL(aFs);
-		CleanupStack::PushL(appFinder);
-		TUid instAppUid={KUidInstallAppValue};
-		TFileName libName=appFinder->FindAppL(KInstallAppName,instAppUid);
-		CleanupStack::PopAndDestroy(appFinder);
-		TParse parser;
-		User::LeaveIfError(parser.SetNoWild(KIniFileExtension,&KInstAppDriveC(),
-			&libName));
-		aFs.MkDirAll(parser.FullName()); // ignore the error
-		CDictionaryFileStore* dict = CDictionaryFileStore::OpenLC(aFs,
-			parser.FullName(),instAppUid);
-		return dict;
-		}
-	// get preferences from ini file
-	{
-	RFs fs;
-	User::LeaveIfError(fs.Connect());
-	CleanupClosePushL(fs);
-	CDictionaryStore* iniFile=OpenIniFileLC(fs); // see above
-	User::LeaveIfNull(iniFile);
-	RDictionaryReadStream readStream;
-	readStream.OpenLC(*iniFile,KUidInstallPrefs);
-	TInstallPrefs prefs; // this is what you need
-	TRAPD(ret,readStream >> prefs);   // will return KErrEof first time
-	CleanupStack::PopAndDestroy(2); //readStream, iniFile
-	CleanupStack::Pop(); // fs
-	fs.Close();
-	}
-If at any time you want to cancel OCSP check, call
-	iOcspClient->CancelCheck();
-When ready to perform the check (the certificate chain is built), use the
-following code as a template (from JavaInstallerSecurityManager.cpp):
-	COCSPParameters* params = COCSPParameters::NewLC();
-	params->SetURIL(*iOCSPServerURI, ETrue);
-	params->AddCertificatesL(*iCertChain);
-	// Set up authorisation scheme - we've a special UID registered with the
-	// certStore for the appropriate certificates
-	COCSPDirectAuthorisationScheme* scheme =
-		COCSPDirectAuthorisationScheme::NewLC(
-		TUid::Uid(KCertStoreUIDForSWInstallOCSPSigning));
-	params->AddAuthorisationSchemeL(scheme);
-	CleanupStack::Pop(scheme);
-	// Won't set validation time - this uses the response producedAt time
-	// instead. This avoids us relying on an accurate time in the device.
-	// Caching of old responses avoided by use of the nonce.
-	iOcspClient = COcspClient::NewL(params);
-	CleanupStack::Pop(params);
-	iOcspClient->Check(iStatus);
-When the request completes and your class's RunL() is called, use the following
-function template to process the result:
-	TBool accept = ETrue;
-	switch (iStatus.Int())
-		{
-		case OCSP::KErrNoCertificates:
-			// No certs in OCSP request - no proper cert chain formed.
-			// Covered by check digital sig logic already, so we let it pass.
-			break;
-		case KErrNone:
-		    {
-			// Check the outcome of every transaction made
-			for (TInt index = 0;
-				accept && index < iOcspClient->TransactionCount();
-				++index)
-				{
-				const TOCSPOutcome& outcome = iOcspClient->Outcome(index);
-				// We have the OCSP response.  Interpret it, asking the user
-				// what questions we need to.  Return determines whether we
-				// continue the install
-				switch (outcome.iStatus)
-					{
-					case OCSP::ETransportError:
-					case OCSP::EClientInternalError:
-					case OCSP::EMalformedRequest:
-					case OCSP::EServerInternalError:
-					case OCSP::ETryLater:
-					case OCSP::ESignatureRequired:
-					case OCSP::EClientUnauthorised:
-					case OCSP::EUnknownResponseType:
-						// Error: unable to obtain certificate status
-						break;
-					case OCSP::ENoServerSpecified:
-					case OCSP::EInvalidURI:
-						// Error: invalid revocation server URI
-						break;
-					case OCSP::EResponseSignatureValidationFailure:
-						// Error: response signature validation failed
-						break;
-					case OCSP::EThisUpdateTooLate:
-					case OCSP::EThisUpdateTooEarly:
-					case OCSP::ENextUpdateTooEarly:
-					case OCSP::ENonceMismatch:
-					case OCSP::EMalformedResponse:
-					case OCSP::EUnknownCriticalExtension:
-					case OCSP::EMissingCertificates:
-						// Error: invalid server response
-						break;
-					case OCSP::EMissingNonce:
-						// Error: missing nonce
-						break;
-					case OCSP::ECertificateNotValidAtValidationTime:
-						// Error: invalid certificate status information
-						break;
-					case OCSP::EValid:
-						switch(outcome.iResult)
-							{
-							case OCSP::EGood:
-								accept = ETrue;
-								break;
-							case OCSP::EUnknown:
-								// ask user
-								break;
-							case OCSP::ERevoked:
-								// ask user
-								break;
-							default:
-								ASSERT(EFalse);
-							}
-						break;
-					default:
-						ASSERT(EFalse);
-						break;
-					}
-				}
-			break;
-			}
-		default:
-			// Error: cannot obtain certificate status, ask user
-			break;
-		}
-	delete iOcspClient;
-	iOcspClient = NULL;
-OCSP check can take a long time. Therefore it is a good thing to display a
-status dialog for the user telling her that OCSP check is in progress and
-allowing her to cancel it. Both SIS and Java installers delegate this function
-to their respective UI handlers.

changeset 60	11c66574c2a2
parent 56	c11c717470d0
child 62	b23410e29e22
child 65	970c0057d9bc