|
1 /* |
|
2 * Copyright (c) 1997-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 #include "pkixcerts.h" |
|
20 #include <ccertattributefilter.h> |
|
21 #include <cctcertinfo.h> |
|
22 |
|
23 // CPKIXCertSource |
|
24 //////////////////// |
|
25 |
|
26 MPKIXCertSource::~MPKIXCertSource() |
|
27 { |
|
28 } |
|
29 |
|
30 // This function returns ETrue iff the issuer altname in aSubjectCert matches the |
|
31 // subject altname in aIssuerCert |
|
32 TBool MPKIXCertSource::AltNameMatchL(const CX509Certificate& aSubjectCert, |
|
33 const CX509Certificate& aIssuerCert) const |
|
34 { |
|
35 TBool res = EFalse; |
|
36 const CX509CertExtension* subjectExt = aSubjectCert.Extension(KIssuerAltName); |
|
37 const CX509CertExtension* issuerExt = aIssuerCert.Extension(KSubjectAltName); |
|
38 if ((subjectExt) && (issuerExt)) |
|
39 { |
|
40 const CX509AltNameExt* issuerAltName = CX509AltNameExt::NewLC(subjectExt->Data()); |
|
41 const CX509AltNameExt* subjectAltName = CX509AltNameExt::NewLC(issuerExt->Data()); |
|
42 if (subjectAltName->Match(*issuerAltName)) |
|
43 { |
|
44 res = ETrue; |
|
45 } |
|
46 CleanupStack::PopAndDestroy(2);//subjectAltName, issuerAltName |
|
47 } |
|
48 return res; |
|
49 } |
|
50 |
|
51 // CPKIXCertsFromStore |
|
52 //////////////////////// |
|
53 |
|
54 CPKIXCertsFromStore* CPKIXCertsFromStore::NewL(MCertStore& aCertStore) |
|
55 { |
|
56 CPKIXCertsFromStore* self = CPKIXCertsFromStore::NewLC(aCertStore); |
|
57 CleanupStack::Pop(self); |
|
58 return self; |
|
59 } |
|
60 |
|
61 CPKIXCertsFromStore* CPKIXCertsFromStore::NewLC(MCertStore& aCertStore) |
|
62 { |
|
63 CPKIXCertsFromStore* self = new(ELeave) CPKIXCertsFromStore(aCertStore); |
|
64 CleanupStack::PushL(self); |
|
65 self->ConstructL(); |
|
66 return self; |
|
67 } |
|
68 |
|
69 CPKIXCertsFromStore* CPKIXCertsFromStore::NewL(MCertStore& aCertStore, TUid aClient) |
|
70 { |
|
71 CPKIXCertsFromStore* self = CPKIXCertsFromStore::NewLC(aCertStore, aClient); |
|
72 CleanupStack::Pop(self); |
|
73 return self; |
|
74 } |
|
75 |
|
76 CPKIXCertsFromStore* CPKIXCertsFromStore::NewLC(MCertStore& aCertStore, TUid aClient) |
|
77 { |
|
78 CPKIXCertsFromStore* self = new(ELeave) CPKIXCertsFromStore(aCertStore, aClient); |
|
79 CleanupStack::PushL(self); |
|
80 self->ConstructL(aClient); |
|
81 return self; |
|
82 } |
|
83 |
|
84 void CPKIXCertsFromStore::Initialize(TRequestStatus& aStatus) |
|
85 { |
|
86 // In the case of a WIM, we don't have trust settings, |
|
87 // the WIM store will ignore the filter and return all certificates |
|
88 aStatus = KRequestPending; |
|
89 iOriginalRequestStatus = &aStatus; |
|
90 iState = EInitialize; |
|
91 iCertStore.List(iCertInfos, *iFilter, iStatus); |
|
92 SetActive(); |
|
93 } |
|
94 |
|
95 void CPKIXCertsFromStore::CandidatesL(const CX509Certificate& aSubject, |
|
96 RPointerArray<CX509Certificate>& aCandidates, |
|
97 TRequestStatus& aStatus) |
|
98 { |
|
99 aStatus = KRequestPending; |
|
100 iOriginalRequestStatus = &aStatus; |
|
101 |
|
102 iRootName = &aSubject.IssuerName(); |
|
103 iSubject = &aSubject; |
|
104 iCandidates = &aCandidates; |
|
105 iEntriesIndex = -1; |
|
106 |
|
107 iState = ECheckTrusted; |
|
108 TRequestStatus* status = &iStatus; |
|
109 User::RequestComplete(status, KErrNone); |
|
110 SetActive(); |
|
111 } |
|
112 |
|
113 void CPKIXCertsFromStore::CancelCandidates() |
|
114 { |
|
115 Cancel(); |
|
116 } |
|
117 |
|
118 void CPKIXCertsFromStore::Release() |
|
119 { |
|
120 delete this; |
|
121 } |
|
122 |
|
123 CPKIXCertsFromStore::~CPKIXCertsFromStore() |
|
124 { |
|
125 Cancel(); |
|
126 |
|
127 iCertInfos.Close(); |
|
128 |
|
129 delete iFilter; |
|
130 |
|
131 delete iCertData; |
|
132 delete iCertPtr; |
|
133 } |
|
134 |
|
135 //private functions |
|
136 CPKIXCertsFromStore::CPKIXCertsFromStore(MCertStore& aCertStore) |
|
137 : CActive(EPriorityNormal), iCertStore(aCertStore) |
|
138 { |
|
139 CActiveScheduler::Add(this); |
|
140 } |
|
141 |
|
142 CPKIXCertsFromStore::CPKIXCertsFromStore(MCertStore& aCertStore, TUid aClient) |
|
143 : CActive(EPriorityNormal), iClient(aClient), iCertStore(aCertStore) |
|
144 { |
|
145 CActiveScheduler::Add(this); |
|
146 } |
|
147 |
|
148 void CPKIXCertsFromStore::ConstructL() |
|
149 { |
|
150 iFilter = CCertAttributeFilter::NewL(); |
|
151 iFilter->SetFormat(EX509Certificate); |
|
152 iFilter->SetOwnerType(ECACertificate); |
|
153 } |
|
154 |
|
155 void CPKIXCertsFromStore::ConstructL(TUid aClient) |
|
156 { |
|
157 iFilter = CCertAttributeFilter::NewL(); |
|
158 iFilter->SetUid(aClient); |
|
159 iFilter->SetFormat(EX509Certificate); |
|
160 iFilter->SetOwnerType(ECACertificate); |
|
161 } |
|
162 |
|
163 void CPKIXCertsFromStore::RunL() |
|
164 { |
|
165 User::LeaveIfError(iStatus.Int()); |
|
166 |
|
167 switch (iState) |
|
168 { |
|
169 case EInitialize: |
|
170 iState = EIdle; |
|
171 User::RequestComplete(iOriginalRequestStatus, iStatus.Int()); |
|
172 break; |
|
173 |
|
174 case ECheckTrusted: |
|
175 HandleECheckTrusted(); |
|
176 break; |
|
177 |
|
178 case EGetCertificate: |
|
179 HandleEGetCertificateL(); |
|
180 break; |
|
181 |
|
182 case EAddCandidate: |
|
183 HandleEAddCandidateL(); |
|
184 break; |
|
185 |
|
186 case EEnd: |
|
187 iState = EIdle; |
|
188 User::RequestComplete(iOriginalRequestStatus, KErrNone); |
|
189 break; |
|
190 |
|
191 default: |
|
192 __ASSERT_ALWAYS(0, User::Panic(_L("CPKIXCertsFromStore"), 1)); |
|
193 break; |
|
194 } |
|
195 } |
|
196 |
|
197 TInt CPKIXCertsFromStore::RunError(TInt aError) |
|
198 { |
|
199 User::RequestComplete(iOriginalRequestStatus, aError); |
|
200 return KErrNone; |
|
201 } |
|
202 |
|
203 void CPKIXCertsFromStore::DoCancel() |
|
204 { |
|
205 switch(iState) |
|
206 { |
|
207 case EInitialize: |
|
208 iCertStore.CancelList(); |
|
209 break; |
|
210 |
|
211 case EGetCertificate: |
|
212 iCertStore.CancelTrusted(); |
|
213 break; |
|
214 |
|
215 case EAddCandidate: |
|
216 iCertStore.CancelRetrieve(); |
|
217 break; |
|
218 |
|
219 case ECheckTrusted: |
|
220 case EEnd: |
|
221 // nothing to do |
|
222 break; |
|
223 |
|
224 default: |
|
225 __ASSERT_ALWAYS(0, User::Panic(_L("CPKIXCertsFromStore"), 1)); |
|
226 break; |
|
227 } |
|
228 |
|
229 User::RequestComplete(iOriginalRequestStatus, KErrCancel); |
|
230 iState = EIdle; |
|
231 } |
|
232 |
|
233 void CPKIXCertsFromStore::HandleECheckTrusted() |
|
234 {// iEntriesIndex has been initialized to -1 by Candidates |
|
235 iEntriesIndex++; |
|
236 if (iEntriesIndex < iCertInfos.Count()) |
|
237 { |
|
238 const CCTCertInfo* entry = iCertInfos[iEntriesIndex]; |
|
239 |
|
240 // Fix for DEF017139 "PKIXCert ignores trust" |
|
241 // Check the certificate is trusted and discard it if not |
|
242 iCertStore.Trusted(*entry, iIsTrusted, iStatus); |
|
243 iState = EGetCertificate; |
|
244 } |
|
245 else |
|
246 { |
|
247 iState = EEnd; |
|
248 TRequestStatus* status = &iStatus; |
|
249 User::RequestComplete(status, KErrNone); |
|
250 } |
|
251 SetActive(); |
|
252 } |
|
253 |
|
254 void CPKIXCertsFromStore::HandleEGetCertificateL() |
|
255 { |
|
256 if (iIsTrusted) |
|
257 {// Fine to trust, go ahead |
|
258 const CCTCertInfo* entry = iCertInfos[iEntriesIndex]; |
|
259 __ASSERT_DEBUG(!iCertData, User::Panic(_L("CPKIXCertsFromStore"), 1)); |
|
260 iCertData = HBufC8::NewL(entry->Size()); |
|
261 __ASSERT_DEBUG(!iCertPtr, User::Panic(_L("CPKIXCertsFromStore"), 1)); |
|
262 iCertPtr = new(ELeave) TPtr8(iCertData->Des()); |
|
263 iCertStore.Retrieve(*entry, *iCertPtr, iStatus); |
|
264 iState = EAddCandidate; |
|
265 } |
|
266 else |
|
267 {// Not trusted, check next for trust |
|
268 iState = ECheckTrusted; |
|
269 TRequestStatus* status = &iStatus; |
|
270 User::RequestComplete(status, KErrNone); |
|
271 } |
|
272 |
|
273 SetActive(); |
|
274 } |
|
275 |
|
276 |
|
277 TBool CPKIXCertsFromStore::IsDuplicateL(const CX509Certificate& aCandidate) |
|
278 { |
|
279 |
|
280 TInt candidatesCount = iCandidates->Count(); |
|
281 for (TInt i = 0; i < candidatesCount; i++) |
|
282 { |
|
283 |
|
284 // Certificate is a duplicate iff |
|
285 // a) The public keys have the same hash, and |
|
286 // b) The serial numbers are identical |
|
287 |
|
288 CX509Certificate* cert = (*iCandidates)[i]; |
|
289 if (cert->KeyIdentifierL() == aCandidate.KeyIdentifierL() |
|
290 && cert->SerialNumber() == aCandidate.SerialNumber()) |
|
291 { |
|
292 return ETrue; |
|
293 } |
|
294 |
|
295 } |
|
296 |
|
297 return EFalse; |
|
298 |
|
299 } |
|
300 |
|
301 void CPKIXCertsFromStore::HandleEAddCandidateL() |
|
302 { |
|
303 CX509Certificate *candidate = CX509Certificate::NewLC(*iCertData); |
|
304 delete iCertData; |
|
305 iCertData = 0; |
|
306 delete iCertPtr; |
|
307 iCertPtr = 0; |
|
308 |
|
309 if (iRootName->Count() > 0) |
|
310 { |
|
311 if (candidate->SubjectName().ExactMatchL(*iRootName) && !IsDuplicateL(*candidate)) |
|
312 { |
|
313 User::LeaveIfError(iCandidates->Append(candidate)); |
|
314 CleanupStack::Pop(); // candidate |
|
315 } |
|
316 else |
|
317 { |
|
318 CleanupStack::PopAndDestroy(); // candidate |
|
319 } |
|
320 } |
|
321 else |
|
322 { |
|
323 const CX500DistinguishedName& candidateName = candidate->SubjectName(); |
|
324 if ((candidateName.Count() == 0) && (AltNameMatchL(*iSubject, *candidate))) |
|
325 { |
|
326 User::LeaveIfError(iCandidates->Append(candidate)); |
|
327 CleanupStack::Pop(); // candidate |
|
328 } |
|
329 else |
|
330 { |
|
331 CleanupStack::PopAndDestroy(); // candidate |
|
332 } |
|
333 } |
|
334 |
|
335 iState = ECheckTrusted; |
|
336 TRequestStatus* status = &iStatus; |
|
337 User::RequestComplete(status, KErrNone); |
|
338 SetActive(); |
|
339 } |
|
340 |
|
341 //CPKIXCertsFromClient |
|
342 //public functions |
|
343 CPKIXCertsFromClient* CPKIXCertsFromClient::NewL(const RPointerArray<CX509Certificate>& aCerts) |
|
344 { |
|
345 CPKIXCertsFromClient* self = new(ELeave) CPKIXCertsFromClient(aCerts); |
|
346 return self; |
|
347 } |
|
348 |
|
349 CPKIXCertsFromClient* CPKIXCertsFromClient::NewLC(const RPointerArray<CX509Certificate>& aCerts) |
|
350 { |
|
351 CPKIXCertsFromClient* self = new(ELeave) CPKIXCertsFromClient(aCerts); |
|
352 CleanupStack::PushL(self); |
|
353 return self; |
|
354 } |
|
355 |
|
356 void CPKIXCertsFromClient::Release() |
|
357 { |
|
358 delete this; |
|
359 } |
|
360 |
|
361 CPKIXCertsFromClient::~CPKIXCertsFromClient() |
|
362 { |
|
363 } |
|
364 |
|
365 void CPKIXCertsFromClient::CandidatesL(const CX509Certificate& aSubject, |
|
366 RPointerArray<CX509Certificate>& aCandidates, |
|
367 TRequestStatus& aStatus) |
|
368 { |
|
369 // There is no need for this to be asynchronous but it is because the base class |
|
370 // wants this to be |
|
371 |
|
372 const CX500DistinguishedName& rootName = aSubject.IssuerName(); |
|
373 TInt count = iCerts.Count(); |
|
374 const CX509Certificate* candidate = NULL; |
|
375 if (rootName.Count() > 0) |
|
376 { |
|
377 for (TInt i = 0; i < count; i++) |
|
378 { |
|
379 candidate = iCerts[i]; |
|
380 if (candidate->SubjectName().ExactMatchL(rootName)) |
|
381 { |
|
382 CX509Certificate* cert = CX509Certificate::NewLC(*candidate); |
|
383 User::LeaveIfError(aCandidates.Append(cert)); |
|
384 CleanupStack::Pop(); |
|
385 } |
|
386 } |
|
387 } |
|
388 else |
|
389 { |
|
390 for (TInt i = 0; i < count; i++) |
|
391 { |
|
392 candidate = iCerts[i]; |
|
393 const CX500DistinguishedName& candidateName = candidate->SubjectName(); |
|
394 if ((candidateName.Count() ==0) && (AltNameMatchL(aSubject, *candidate))) |
|
395 { |
|
396 CX509Certificate* cert = CX509Certificate::NewLC(*candidate); |
|
397 User::LeaveIfError(aCandidates.Append(cert)); |
|
398 CleanupStack::Pop(); |
|
399 } |
|
400 } |
|
401 } |
|
402 |
|
403 TRequestStatus* status = &aStatus; |
|
404 User::RequestComplete(status, KErrNone); |
|
405 } |
|
406 |
|
407 void CPKIXCertsFromClient::CancelCandidates() |
|
408 { |
|
409 // Nothing to do because the function completes immediately |
|
410 } |
|
411 |
|
412 //private functions |
|
413 CPKIXCertsFromClient::CPKIXCertsFromClient(const RPointerArray<CX509Certificate>& aCerts) |
|
414 :iCerts(aCerts) |
|
415 { |
|
416 } |