|
1 /* |
|
2 * Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * PKIXCERTCHAIN.H |
|
16 * PKIX certificate chain implementation |
|
17 * |
|
18 */ |
|
19 |
|
20 |
|
21 |
|
22 |
|
23 /** |
|
24 @file |
|
25 @internalTechnology |
|
26 */ |
|
27 |
|
28 #ifndef __PKIXCERTCHAIN_H__ |
|
29 #define __PKIXCERTCHAIN_H__ |
|
30 |
|
31 #include <e32std.h> |
|
32 #include <x509certchain.h> |
|
33 #include <pkixvalidationresult.h> |
|
34 |
|
35 //implements key validation according to RFC 2459 (PKIX cert/CRL profile), section 6 |
|
36 class CPKIXValidationState; |
|
37 class CPKIXChainBuilder; |
|
38 class CPKIXCertChainAO; |
|
39 class CPKIXCertChainHelper; |
|
40 class MCertStore; |
|
41 |
|
42 /** |
|
43 * Base class for CPKIXCertChain |
|
44 * @internalTechnology |
|
45 */ |
|
46 class CPKIXCertChainBase : public CX509CertChain |
|
47 { |
|
48 public: |
|
49 //constructors |
|
50 /** Creates a certificate chain using the binary data in aEncodedCerts. |
|
51 * |
|
52 * @param aCertStore The certificate store to use when looking for root certificates. |
|
53 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
54 * The first certificate will be interpreted as the end entity certificate to |
|
55 * be validated; subsequent certificates may be in any order and may be used |
|
56 * by the chain as intermediate certificates, but not root certificates. The |
|
57 * individual certificates can be retrieved since each one contains its own length. |
|
58 * @param aClient The Uid identifying the purpose for which the chain will be used. |
|
59 * This value will be used to select a subset of stored certificates, by way of their trust |
|
60 * settings, to be used as candidate root certificates. */ |
|
61 IMPORT_C static CPKIXCertChainBase* NewL(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, |
|
62 const TUid aClient); |
|
63 |
|
64 /** Creates a certificate chain using the binary data in aEncodedCerts, and puts |
|
65 * a pointer to the new object onto the cleanup stack. |
|
66 * |
|
67 * @param aCertStore The certificate store to use when looking for root certificates. |
|
68 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
69 * The first certificate will be interpreted as the end entity certificate to |
|
70 * be validated; subsequent certificates may be in any order and may be used |
|
71 * by the chain as intermediate certificates, but not root certificates. The |
|
72 * individual certificates can be retrieved since each one contains its own length. |
|
73 * @param aClient The Uid identifying the purpose for which the chain will be used. |
|
74 * This value will be used to select a subset of stored certificates, by way of their trust |
|
75 * settings, to be used as candidate root certificates. */ |
|
76 IMPORT_C static CPKIXCertChainBase* NewLC(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, |
|
77 const TUid aClient); |
|
78 |
|
79 /** Creates a certificate chain using the binary data in aEncodedCerts. |
|
80 * |
|
81 * @param aCertStore The certificate store to use when looking for root certificates. |
|
82 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
83 * The first certificate will be interpreted as the end entity certificate to |
|
84 * be validated; subsequent certificates may be in any order and may be used |
|
85 * by the chain as intermediate certificates, but not root certificates. Any |
|
86 * self signed certificates supplied here after the first one will be discarded, |
|
87 * as self signed certificates cannot by definition be intermediate certificates. |
|
88 * The individual certificates can be retrieved since each one contains its own |
|
89 * length. |
|
90 * @param aRootCerts An array of certificates which the chain will treat as candidate root |
|
91 * certificates. If one of these overloads is used, the chain will not look in |
|
92 * stores for root certificates, but will only use the certificates supplied here. */ |
|
93 IMPORT_C static CPKIXCertChainBase* NewL(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, |
|
94 const RPointerArray<CX509Certificate>& aRootCerts); |
|
95 |
|
96 /** Creates a certificate chain using the binary data in aEncodedCerts and puts |
|
97 * a pointer to the new object onto the cleanup stack. |
|
98 * |
|
99 * @param aCertStore The certificate store to use when looking for root certificates. |
|
100 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
101 * The first certificate will be interpreted as the end entity certificate to |
|
102 * be validated; subsequent certificates may be in any order and may be used |
|
103 * by the chain as intermediate certificates, but not root certificates. Any |
|
104 * self signed certificates supplied here after the first one will be discarded |
|
105 * as self signed certificates cannot by definition be intermediate certificates. |
|
106 * The individual certificates can be retrieved since each one contains its own |
|
107 * length. |
|
108 * @param aRootCerts An array of certificates which the chain will treat as candidate root |
|
109 * certificates. If one of these overloads is used, the chain will not look in |
|
110 * stores for root certificates, but will only use the certificates supplied here. */ |
|
111 IMPORT_C static CPKIXCertChainBase* NewLC(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, |
|
112 const RPointerArray<CX509Certificate>& aRootCerts); |
|
113 |
|
114 /** Destructor. |
|
115 * |
|
116 * Frees all resources owned by the object. */ |
|
117 IMPORT_C ~CPKIXCertChainBase(); |
|
118 //validation |
|
119 |
|
120 /** Validates the chain. |
|
121 * |
|
122 * @param aValidationResult On completion, this contains the result of the validation. |
|
123 * @param aValidationTime The time that should be presumed to be the current time when checking timestamps. |
|
124 * @param aStatus An asynchronous request status object. */ |
|
125 IMPORT_C void ValidateL(CPKIXValidationResultBase& aValidationResult, |
|
126 const TTime& aValidationTime, TRequestStatus& aStatus); |
|
127 |
|
128 /** Validates the chain. |
|
129 * |
|
130 * @param aValidationResult On completion, this contains the result of the validation. |
|
131 * @param aValidationTime The time that should be presumed to be the current time when checking timestamps. |
|
132 * @param aInitialPolicies The policies we want to be present in the certificate chain. |
|
133 * @param aStatus An asynchronous request status object. */ |
|
134 IMPORT_C void ValidateL(CPKIXValidationResultBase& aValidationResult, |
|
135 const TTime& aValidationTime, const CArrayPtr<HBufC>& aInitialPolicies, |
|
136 TRequestStatus& aStatus); |
|
137 |
|
138 /** Cancels an asynchronous ValidateL() operation. */ |
|
139 IMPORT_C void CancelValidate(); |
|
140 |
|
141 /** Adds one or more intermediate certificates to use when building the chain . |
|
142 * |
|
143 * Any self signed certs are ignored. |
|
144 * |
|
145 * @param aEncodedCerts The concatenation of one or more DER encoded X.509 certificates. */ |
|
146 IMPORT_C void AddCertL(const TPtrC8& aEncodedCerts); |
|
147 |
|
148 /** Tests whether the root certificate of the chain is locatable. |
|
149 * |
|
150 * Note that the value is only significant after a successful call to ValidateL(). |
|
151 * |
|
152 * @return ETrue if the chain has a root; EFalse, otherwise. */ |
|
153 IMPORT_C TBool ChainHasRoot() const; |
|
154 |
|
155 /** Returns a list of the critical extension OIDs that are supported by the |
|
156 * chain validator. If a critical extension is encountered in a certificate |
|
157 * chain whose OID matches an element in this set then the chain validator |
|
158 * shall treat this as a warning instead of an error. |
|
159 * |
|
160 * If CPKIXCertChain::SetSupportedCriticalExtensionsL() has not been called, this |
|
161 * list will return the default set of supported critical extensions which |
|
162 * includes the X.509 standard and Symbian specific SIS file critical extensions. |
|
163 * These extensions may change in the future and should not be relied upon. |
|
164 * |
|
165 * @return The current list of supported critical extension OIDs. Ownership is not |
|
166 * transferred to the caller. */ |
|
167 IMPORT_C const RPointerArray<TDesC>& SupportedCriticalExtensions() const; |
|
168 |
|
169 /** Adds one or more critical extension OIDs to the list of supported critical |
|
170 * extensions. Duplicate OID values are not added. |
|
171 * |
|
172 * @param aCriticalExtOids A list of the critical extensions OIDs to append to the supported |
|
173 * list. Ownership is not transferred from the caller. */ |
|
174 IMPORT_C void AddSupportedCriticalExtensionsL(const RPointerArray<TDesC>& aCriticalExtOids); |
|
175 |
|
176 /** Removes one or more critical extension OIDs from the list of supported critical extensions. |
|
177 * |
|
178 * @param aCriticalExts A list of the critical extensions OIDs to remove from the supported list. |
|
179 * Ownership is with the original caller. Oids will not be destroyed. */ |
|
180 IMPORT_C void RemoveSupportedCriticalExtensions(const RPointerArray<TDesC>& aCriticalExtOids); |
|
181 |
|
182 /** Completely replaces the set of supported critical extensions for certificate validation. If a critical |
|
183 * extension is encountered matching one of these OIDs then its occurrence is treated as a warning rather |
|
184 * than an error. The results of which can be queried through a call to CPKIXValidationResult::ValidationWarnings(). |
|
185 * |
|
186 * @param aCriticalExtOids A list of the critical extensions OIDs for the class to support. Ownership is |
|
187 * not transferred from the caller. */ |
|
188 IMPORT_C void SetSupportedCriticalExtensionsL(const RPointerArray<TDesC>& aCriticalExtOids); |
|
189 |
|
190 /** Resets the current list of supported critical extensions and re-populates it with the default set |
|
191 * which includes the X.509 standard and Symbian specific SIS file critical extensions. These extensions |
|
192 * may change in the future and should not be relied upon. */ |
|
193 IMPORT_C void ResetSupportedCriticalExtsToDefaultL(); |
|
194 |
|
195 /** Specify if a failed check on the certificate validity date is treated as an error or a warning. |
|
196 * |
|
197 * @param aIsFatal ETrue for reporting as an error; EFalse for a warning.*/ |
|
198 IMPORT_C void SetValidityPeriodCheckFatal(TBool aIsFatal); |
|
199 |
|
200 /** Returns whether or not validity period check failures will be reported as an error or a warning. |
|
201 * |
|
202 * @param aIsFatal ETrue if failure is reported as an error; EFalse for a warning.*/ |
|
203 IMPORT_C TBool ValidityPeriodCheckFatal() const; |
|
204 |
|
205 protected: |
|
206 IMPORT_C CPKIXCertChainBase(); |
|
207 IMPORT_C void ConstructL(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, TUid aClient); |
|
208 IMPORT_C void ConstructL(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, const RPointerArray<CX509Certificate>& aRootCerts); |
|
209 |
|
210 public: |
|
211 // Public non-exported methods called by CPKIXCertChainAO |
|
212 CArrayPtrFlat<CX509Certificate>& Chain(); |
|
213 const RPointerArray<CX509Certificate>& IntermediateCerts(); |
|
214 TBool ChainHasRoot(); |
|
215 void RemoveLastCerts(TInt aNumberOfCertsToRemove); |
|
216 void SetChainHasRoot(TBool aHasRoot); |
|
217 |
|
218 private: |
|
219 void DoConstructL(const TPtrC8& aEncodedCerts); |
|
220 |
|
221 /** |
|
222 * This function adds certificates to the chain but only the ones that are not |
|
223 * self-signed. |
|
224 * |
|
225 * @param aEncodedCerts The encoded certificates. |
|
226 */ |
|
227 void AddIntermediateCertsL(const TPtrC8& aEncodedCerts); |
|
228 |
|
229 private: |
|
230 /** |
|
231 * Holds a list of candiate intermediate certs - these come from the encoded |
|
232 * certs passed at construction time, and also any added with AddCertL(). |
|
233 */ |
|
234 RPointerArray<CX509Certificate> iIntermediateCerts; |
|
235 |
|
236 /** |
|
237 * This is ETrue if the chain has a root and EFalse if it hasn't. The value |
|
238 * is only significant after a successfull call to ValidateL(). |
|
239 */ |
|
240 TBool iChainHasRoot; |
|
241 |
|
242 /** |
|
243 * Most of the fucntionality of the class is asynchronous and is in fact |
|
244 * delegated to iActiveObject which will deal with all the asynchronous |
|
245 * functions. |
|
246 */ |
|
247 CPKIXCertChainAO* iActiveObject; |
|
248 |
|
249 /** |
|
250 * Holds a list of supported critical extensions set by the client. |
|
251 */ |
|
252 RPointerArray<TDesC> iSupportedCriticalExts; |
|
253 |
|
254 /** |
|
255 * When true (the defaut) indicates that a failed check on the validity period of a |
|
256 * certificate will result in a fatal error. When false this instead results in a |
|
257 * warning. |
|
258 */ |
|
259 TBool iDateTimeCheckFatal; |
|
260 }; |
|
261 |
|
262 |
|
263 /** |
|
264 * This class implements a PKIX certificate chain. |
|
265 * |
|
266 * @publishedAll |
|
267 * @released |
|
268 * @since v6.0 |
|
269 */ |
|
270 class CPKIXCertChain : public CPKIXCertChainBase |
|
271 { |
|
272 public: |
|
273 |
|
274 //constructors |
|
275 /** Creates a certificate chain using the binary data in aEncodedCerts. |
|
276 * |
|
277 * @param aFs An open file server session. |
|
278 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
279 * The first certificate will be interpreted as the end entity certificate to |
|
280 * be validated; subsequent certificates may be in any order and may be used |
|
281 * by the chain as intermediate certificates, but not root certificates. The |
|
282 * individual certificates can be retrieved since each one contains its own length. |
|
283 * @param aClient The Uid identifying the purpose for which the chain will be used. |
|
284 * This value will be used to select a subset of stored certificates, by way of their trust |
|
285 * settings, to be used as candidate root certificates. */ |
|
286 IMPORT_C static CPKIXCertChain* NewL(RFs& aFs, const TPtrC8& aEncodedCerts, |
|
287 const TUid aClient); |
|
288 |
|
289 /** Creates a certificate chain using the binary data in aEncodedCerts, and puts |
|
290 * a pointer to the new object onto the cleanup stack. |
|
291 * |
|
292 * @param aFs An open file server session |
|
293 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
294 * The first certificate will be interpreted as the end entity certificate to |
|
295 * be validated; subsequent certificates may be in any order and may be used |
|
296 * by the chain as intermediate certificates, but not root certificates. The |
|
297 * individual certificates can be retrieved since each one contains its own length. |
|
298 * @param aClient The Uid identifying the purpose for which the chain will be used. |
|
299 * This value will be used to select a subset of stored certificates, by way of their trust |
|
300 * settings, to be used as candidate root certificates. */ |
|
301 IMPORT_C static CPKIXCertChain* NewLC(RFs& aFs, const TPtrC8& aEncodedCerts, |
|
302 const TUid aClient); |
|
303 |
|
304 /** Creates a certificate chain using the binary data in aEncodedCerts. |
|
305 * |
|
306 * @param aFs An open file server session. |
|
307 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
308 * The first certificate will be interpreted as the end entity certificate to |
|
309 * be validated; subsequent certificates may be in any order and may be used |
|
310 * by the chain as intermediate certificates, but not root certificates. Any |
|
311 * self signed certificates supplied here after the first one will be discarded, |
|
312 * as self signed certificates cannot by definition be intermediate certificates. |
|
313 * The individual certificates can be retrieved since each one contains its own |
|
314 * length. |
|
315 * @param aRootCerts An array of certificates which the chain will treat as candidate root |
|
316 * certificates. If one of these overloads is used, the chain will not look in |
|
317 * stores for root certificates, but will only use the certificates supplied here. */ |
|
318 IMPORT_C static CPKIXCertChain* NewL(RFs& aFs, const TPtrC8& aEncodedCerts, |
|
319 const RPointerArray<CX509Certificate>& aRootCerts); |
|
320 |
|
321 /** Creates a certificate chain using the binary data in aEncodedCerts and puts |
|
322 * a pointer to the new object onto the cleanup stack. |
|
323 * |
|
324 * @param aFs An open file server session. |
|
325 * @param aEncodedCerts One or more concatenated DER encoded X.509 certificates. |
|
326 * The first certificate will be interpreted as the end entity certificate to |
|
327 * be validated; subsequent certificates may be in any order and may be used |
|
328 * by the chain as intermediate certificates, but not root certificates. Any |
|
329 * self signed certificates supplied here after the first one will be discarded |
|
330 * as self signed certificates cannot by definition be intermediate certificates. |
|
331 * The individual certificates can be retrieved since each one contains its own |
|
332 * length. |
|
333 * @param aRootCerts An array of certificates which the chain will treat as candidate root |
|
334 * certificates. If one of these overloads is used, the chain will not look in |
|
335 * stores for root certificates, but will only use the certificates supplied here. */ |
|
336 IMPORT_C static CPKIXCertChain* NewLC(RFs& aFs, const TPtrC8& aEncodedCerts, |
|
337 const RPointerArray<CX509Certificate>& aRootCerts); |
|
338 |
|
339 //destructor |
|
340 /** Destructor. |
|
341 * |
|
342 * Frees all resources owned by the object. */ |
|
343 IMPORT_C ~CPKIXCertChain(); |
|
344 //validation |
|
345 |
|
346 /** Validates the chain. |
|
347 * |
|
348 * @param aValidationResult On completion, this contains the result of the validation. |
|
349 * @param aValidationTime The time that should be presumed to be the current time when checking timestamps. |
|
350 * @param aStatus An asynchronous request status object. */ |
|
351 IMPORT_C void ValidateL(CPKIXValidationResult& aValidationResult, |
|
352 const TTime& aValidationTime, TRequestStatus& aStatus); |
|
353 |
|
354 /** Validates the chain. |
|
355 * |
|
356 * @param aValidationResult On completion, this contains the result of the validation. |
|
357 * @param aValidationTime The time that should be presumed to be the current time when checking timestamps. |
|
358 * @param aInitialPolicies The policies we want to be present in the certificate chain. |
|
359 * @param aStatus An asynchronous request status object. */ |
|
360 IMPORT_C void ValidateL(CPKIXValidationResult& aValidationResult, |
|
361 const TTime& aValidationTime, const CArrayPtr<HBufC>& aInitialPolicies, |
|
362 TRequestStatus& aStatus); |
|
363 |
|
364 /** Cancels an asynchronous ValidateL() operation. */ |
|
365 IMPORT_C void CancelValidate(); |
|
366 |
|
367 /** Adds a certificate (if it is not self-signed) to the chain . |
|
368 * |
|
369 * @param aEncodedCerts A DER encoded X.509 certificate. */ |
|
370 IMPORT_C void AddCertL(const TPtrC8& aEncodedCerts); |
|
371 |
|
372 /** Tests whether the root certificate of the chain is locatable. |
|
373 * |
|
374 * Note that the value is only significant after a successfull call to ValidateL(). |
|
375 * |
|
376 * @return ETrue if the chain has a root; EFalse, otherwise. */ |
|
377 IMPORT_C TBool ChainHasRoot() const; |
|
378 |
|
379 /** Returns a list of the critical extension OIDs that are supported by the |
|
380 * chain validator. If a critical extension is encountered in a certificate |
|
381 * chain whose OID matches an element in this set then the chain validator |
|
382 * shall treat this as a warning instead of an error. |
|
383 * |
|
384 * If CPKIXCertChain::SetSupportedCriticalExtensionsL() has not been called, this |
|
385 * list will return the default set of supported critical extensions which |
|
386 * includes the X.509 standard and Symbian specific SIS file critical extensions. |
|
387 * These extensions may change in the future and should not be relied upon. |
|
388 * |
|
389 * @return The current list of supported critical extension OIDs. Ownership is not |
|
390 * transferred to the caller. */ |
|
391 IMPORT_C const RPointerArray<TDesC>& SupportedCriticalExtensions() const; |
|
392 |
|
393 /** Adds one or more critical extension OIDs to the list of supported critical |
|
394 * extensions. Duplicate OID values are not added. |
|
395 * |
|
396 * @param aCriticalExtOids A list of the critical extensions OIDs to append to the supported |
|
397 * list. Ownership is not transferred from the caller. */ |
|
398 IMPORT_C void AddSupportedCriticalExtensionsL(const RPointerArray<TDesC>& aCriticalExtOids); |
|
399 |
|
400 /** Removes one or more critical extension OIDs from the list of supported critical extensions. |
|
401 * |
|
402 * @param aCriticalExts A list of the critical extensions OIDs to remove from the supported list. |
|
403 * Ownership is with the original caller. Oids will not be destroyed. */ |
|
404 IMPORT_C void RemoveSupportedCriticalExtensions(const RPointerArray<TDesC>& aCriticalExtOids); |
|
405 |
|
406 /** Completely replaces the set of supported critical extensions for certificate validation. If a critical |
|
407 * extension is encountered matching one of these OIDs then its occurrence is treated as a warning rather |
|
408 * than an error. The results of which can be queried through a call to CPKIXValidationResult::ValidationWarnings(). |
|
409 * |
|
410 * @param aCriticalExtOids A list of the critical extensions OIDs for the class to support. Ownership is |
|
411 * not transferred from the caller. */ |
|
412 IMPORT_C void SetSupportedCriticalExtensionsL(const RPointerArray<TDesC>& aCriticalExtOids); |
|
413 |
|
414 /** Resets the current list of supported critical extensions and re-populates it with the default set |
|
415 * which includes the X.509 standard and Symbian specific SIS file critical extensions. These extensions |
|
416 * may change in the future and should not be relied upon. */ |
|
417 IMPORT_C void ResetSupportedCriticalExtsToDefaultL(); |
|
418 |
|
419 /** Specify if a failed check on the certificate validity date is treated as an error or a warning. |
|
420 * |
|
421 * @param aIsFatal ETrue for reporting as an error; EFalse for a warning.*/ |
|
422 IMPORT_C void SetValidityPeriodCheckFatal(TBool aIsFatal); |
|
423 |
|
424 private: |
|
425 CPKIXCertChain(); |
|
426 void ConstructL(RFs& aFs, const TPtrC8& aEncodedCerts, TUid aClient); |
|
427 void ConstructL(RFs& aFs, const TPtrC8& aEncodedCerts, |
|
428 const RPointerArray<CX509Certificate>& aRootCerts); |
|
429 |
|
430 private: |
|
431 CPKIXCertChainHelper* iHelper; |
|
432 }; |
|
433 |
|
434 #endif |