|
1 /* |
|
2 * Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 #include <pkixcertchain.h> |
|
20 #include "pkixcertchainao.h" |
|
21 #include "pkixCons.h" |
|
22 #include "pkixcertstate.h" |
|
23 #include "pkixcerts.h" |
|
24 |
|
25 //**********************************************************************************// |
|
26 EXPORT_C CPKIXCertChainBase* CPKIXCertChainBase::NewL(MCertStore& aCertStore, |
|
27 const TPtrC8& aEncodedCerts, |
|
28 const TUid aClient) |
|
29 { |
|
30 CPKIXCertChainBase* self = CPKIXCertChainBase::NewLC(aCertStore, aEncodedCerts, aClient); |
|
31 CleanupStack::Pop(self); |
|
32 return self; |
|
33 } |
|
34 |
|
35 EXPORT_C CPKIXCertChainBase* CPKIXCertChainBase::NewLC(MCertStore& aCertStore, |
|
36 const TPtrC8& aEncodedCerts, |
|
37 const TUid aClient) |
|
38 { |
|
39 CPKIXCertChainBase* self = new(ELeave) CPKIXCertChainBase(); |
|
40 CleanupStack::PushL(self); |
|
41 self->ConstructL(aCertStore, aEncodedCerts, aClient); |
|
42 return self; |
|
43 } |
|
44 |
|
45 EXPORT_C CPKIXCertChainBase* CPKIXCertChainBase::NewL(MCertStore& aCertStore, |
|
46 const TPtrC8& aEncodedCerts, |
|
47 const RPointerArray<CX509Certificate>& aRootCerts) |
|
48 { |
|
49 CPKIXCertChainBase* self = CPKIXCertChainBase::NewLC(aCertStore, aEncodedCerts, aRootCerts); |
|
50 CleanupStack::Pop(self); |
|
51 return self; |
|
52 } |
|
53 |
|
54 EXPORT_C CPKIXCertChainBase* CPKIXCertChainBase::NewLC(MCertStore& aCertStore, |
|
55 const TPtrC8& aEncodedCerts, |
|
56 const RPointerArray<CX509Certificate>& aRootCerts) |
|
57 { |
|
58 CPKIXCertChainBase* self = new(ELeave) CPKIXCertChainBase(); |
|
59 CleanupStack::PushL(self); |
|
60 self->ConstructL(aCertStore, aEncodedCerts, aRootCerts); |
|
61 return self; |
|
62 } |
|
63 |
|
64 EXPORT_C CPKIXCertChainBase::~CPKIXCertChainBase() |
|
65 { |
|
66 iIntermediateCerts.ResetAndDestroy(); |
|
67 iIntermediateCerts.Close(); |
|
68 iSupportedCriticalExts.Close(); |
|
69 |
|
70 delete iActiveObject; |
|
71 } |
|
72 |
|
73 //end of ctors & dtor |
|
74 |
|
75 EXPORT_C void CPKIXCertChainBase::ValidateL(CPKIXValidationResultBase& aValidationResult, |
|
76 const TTime& aValidationTime, |
|
77 TRequestStatus& aStatus) |
|
78 { |
|
79 iActiveObject->ValidateL(aValidationResult, aValidationTime, NULL, aStatus); |
|
80 } |
|
81 |
|
82 EXPORT_C void CPKIXCertChainBase::ValidateL(CPKIXValidationResultBase& aValidationResult, |
|
83 const TTime& aValidationTime, |
|
84 const CArrayPtr<HBufC>& aInitialPolicies, |
|
85 TRequestStatus& aStatus) |
|
86 { |
|
87 iActiveObject->ValidateL(aValidationResult, aValidationTime, &aInitialPolicies, aStatus); |
|
88 } |
|
89 |
|
90 EXPORT_C void CPKIXCertChainBase::CancelValidate() |
|
91 { |
|
92 iActiveObject->CancelValidate(); |
|
93 } |
|
94 |
|
95 EXPORT_C TBool CPKIXCertChainBase::ChainHasRoot() const |
|
96 { |
|
97 return iChainHasRoot; |
|
98 } |
|
99 |
|
100 EXPORT_C void CPKIXCertChainBase::AddCertL(const TPtrC8& aEncodedCerts) |
|
101 { |
|
102 AddIntermediateCertsL(aEncodedCerts); |
|
103 } |
|
104 |
|
105 EXPORT_C const RPointerArray<TDesC>& CPKIXCertChainBase::SupportedCriticalExtensions() const |
|
106 { |
|
107 return iSupportedCriticalExts; |
|
108 } |
|
109 |
|
110 EXPORT_C void CPKIXCertChainBase::AddSupportedCriticalExtensionsL(const RPointerArray<TDesC>& aCriticalExtOids) |
|
111 { |
|
112 TBool notPresent; |
|
113 TInt count = aCriticalExtOids.Count(); |
|
114 for (TInt x=0; x < count; ++x) |
|
115 { |
|
116 notPresent = ETrue; |
|
117 for (TInt y=0; y < iSupportedCriticalExts.Count(); ++y) |
|
118 { |
|
119 if (*aCriticalExtOids[x] == *iSupportedCriticalExts[y]) |
|
120 { |
|
121 notPresent = EFalse; |
|
122 break; |
|
123 } |
|
124 } |
|
125 if (notPresent) |
|
126 { |
|
127 iSupportedCriticalExts.AppendL(aCriticalExtOids[x]); |
|
128 } |
|
129 } |
|
130 } |
|
131 |
|
132 EXPORT_C void CPKIXCertChainBase::RemoveSupportedCriticalExtensions(const RPointerArray<TDesC>& aCriticalExtOids) |
|
133 { |
|
134 TInt count = iSupportedCriticalExts.Count(); |
|
135 TInt newCount = aCriticalExtOids.Count(); |
|
136 if (count > 0) |
|
137 { |
|
138 for (TInt x=count - 1; x >= 0; --x) |
|
139 { |
|
140 for (TInt y=0; y < newCount; ++y) |
|
141 { |
|
142 if (*aCriticalExtOids[y] == *iSupportedCriticalExts[x]) |
|
143 { |
|
144 iSupportedCriticalExts.Remove(x); |
|
145 break; |
|
146 } |
|
147 } |
|
148 } |
|
149 } |
|
150 } |
|
151 |
|
152 EXPORT_C void CPKIXCertChainBase::SetSupportedCriticalExtensionsL(const RPointerArray<TDesC>& aCriticalExtOids) |
|
153 { |
|
154 iSupportedCriticalExts.Reset(); |
|
155 AddSupportedCriticalExtensionsL(aCriticalExtOids); |
|
156 } |
|
157 |
|
158 EXPORT_C void CPKIXCertChainBase::ResetSupportedCriticalExtsToDefaultL() |
|
159 { |
|
160 iSupportedCriticalExts.Reset(); |
|
161 // standard X.509 extensions |
|
162 iSupportedCriticalExts.AppendL(&KExtendedKeyUsage); |
|
163 iSupportedCriticalExts.AppendL(&KPolicyMapping); // RFC - MUST be non-critical |
|
164 iSupportedCriticalExts.AppendL(&KSubjectAltName); |
|
165 iSupportedCriticalExts.AppendL(&KKeyUsage); |
|
166 iSupportedCriticalExts.AppendL(&KBasicConstraints); |
|
167 iSupportedCriticalExts.AppendL(&KNameConstraints); |
|
168 iSupportedCriticalExts.AppendL(&KPolicyConstraints); |
|
169 iSupportedCriticalExts.AppendL(&KCertPolicies); |
|
170 iSupportedCriticalExts.AppendL(&KInhibitAnyPolicy); |
|
171 // Symbian critical extensions |
|
172 iSupportedCriticalExts.AppendL(&KDeviceIdListConstraint); |
|
173 iSupportedCriticalExts.AppendL(&KSidListConstraint); |
|
174 iSupportedCriticalExts.AppendL(&KVidListConstraint); |
|
175 iSupportedCriticalExts.AppendL(&KCapabilitiesConstraint); |
|
176 } |
|
177 |
|
178 |
|
179 EXPORT_C void CPKIXCertChainBase::SetValidityPeriodCheckFatal(TBool aIsFatal) |
|
180 { |
|
181 iDateTimeCheckFatal = aIsFatal; |
|
182 } |
|
183 |
|
184 |
|
185 EXPORT_C TBool CPKIXCertChainBase::ValidityPeriodCheckFatal() const |
|
186 { |
|
187 return iDateTimeCheckFatal; |
|
188 } |
|
189 |
|
190 //private functions |
|
191 //************************************************************************// |
|
192 |
|
193 EXPORT_C CPKIXCertChainBase::CPKIXCertChainBase() |
|
194 : iChainHasRoot(EFalse), iDateTimeCheckFatal(ETrue) |
|
195 { |
|
196 } |
|
197 |
|
198 EXPORT_C void CPKIXCertChainBase::ConstructL(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, |
|
199 TUid aClient) |
|
200 { |
|
201 iActiveObject = CPKIXCertChainAO::NewL(aCertStore, *this, aClient); |
|
202 DoConstructL(aEncodedCerts); |
|
203 } |
|
204 |
|
205 /** |
|
206 * Second-phase constructor |
|
207 * This constructor takes a set of root certificates we trust. We don't take into account |
|
208 * the certificates in the certificate store because we are not interested in the |
|
209 * trust model of that store (where each certificates comes with a set of uid of the |
|
210 * applications that trust this certificate) |
|
211 * this is consistent with the fact that in FindIssuer, we only look for non-root |
|
212 * certs in the store |
|
213 */ |
|
214 EXPORT_C void CPKIXCertChainBase::ConstructL(MCertStore& aCertStore, const TPtrC8& aEncodedCerts, |
|
215 const RPointerArray<CX509Certificate>& aRootCerts) |
|
216 { |
|
217 iActiveObject = CPKIXCertChainAO::NewL(aCertStore, *this, aRootCerts); |
|
218 DoConstructL(aEncodedCerts); |
|
219 } |
|
220 |
|
221 void CPKIXCertChainBase::DoConstructL(const TPtrC8& aEncodedCerts) |
|
222 { |
|
223 iChain = new(ELeave) CArrayPtrFlat<CX509Certificate> (1); |
|
224 |
|
225 TInt pos = 0; |
|
226 CX509Certificate* eeCert = CX509Certificate::NewLC(aEncodedCerts, pos); |
|
227 iChain->AppendL(eeCert); |
|
228 CleanupStack::Pop(eeCert); |
|
229 AddIntermediateCertsL(aEncodedCerts); |
|
230 ResetSupportedCriticalExtsToDefaultL(); |
|
231 } |
|
232 |
|
233 void CPKIXCertChainBase::AddIntermediateCertsL(const TPtrC8& aEncodedCerts) |
|
234 { |
|
235 //decode aEncodedCerts, and add any that aren't self-signed |
|
236 TInt pos = 0; |
|
237 TInt end = aEncodedCerts.Length(); |
|
238 while (pos < end) |
|
239 { |
|
240 CX509Certificate* decoded = CX509Certificate::NewLC(aEncodedCerts, pos); |
|
241 if (decoded->IsSelfSignedL()) |
|
242 { |
|
243 // Then it's no use to us because it cannot be part of a chain with a |
|
244 // root certificate we trust. |
|
245 CleanupStack::PopAndDestroy(decoded); |
|
246 } |
|
247 else |
|
248 { |
|
249 User::LeaveIfError(iIntermediateCerts.Append(decoded)); |
|
250 CleanupStack::Pop(decoded); |
|
251 } |
|
252 } |
|
253 } |
|
254 |
|
255 void CPKIXCertChainBase::RemoveLastCerts(TInt aNumberOfCertsToRemove) |
|
256 { |
|
257 __ASSERT_DEBUG(iChain->Count() >= aNumberOfCertsToRemove, |
|
258 User::Panic(_L("CPKIXCertChain"), 1)); |
|
259 |
|
260 // We don't have to change i because it is the count of the array that decreases |
|
261 for (TInt i = iChain->Count() - aNumberOfCertsToRemove; i < iChain->Count(); ) |
|
262 { |
|
263 delete (*iChain)[i]; |
|
264 iChain->Delete(i); |
|
265 } |
|
266 } |
|
267 |
|
268 CArrayPtrFlat<CX509Certificate>& CPKIXCertChainBase::Chain() |
|
269 { |
|
270 __ASSERT_ALWAYS(iChain, User::Panic(_L("CPKICCertChainBase"), 1)); |
|
271 return *iChain; |
|
272 } |
|
273 |
|
274 const RPointerArray<CX509Certificate>& CPKIXCertChainBase::IntermediateCerts() |
|
275 { |
|
276 return iIntermediateCerts; |
|
277 } |
|
278 |
|
279 TBool CPKIXCertChainBase::ChainHasRoot() |
|
280 { |
|
281 return iChainHasRoot; |
|
282 } |
|
283 |
|
284 void CPKIXCertChainBase::SetChainHasRoot(TBool aHasRoot) |
|
285 { |
|
286 iChainHasRoot = aHasRoot; |
|
287 } |