--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/cryptoservices/certificateandkeymgmt/pkixcertbase/pkixCons.h	Wed Jul 08 11:25:26 2009 +0100
@@ -0,0 +1,151 @@
+/*
+* Copyright (c) 1998-2009 Nokia Corporation and/or its subsidiary(-ies).
+* All rights reserved.
+* This component and the accompanying materials are made available
+* under the terms of the License "Eclipse Public License v1.0"
+* which accompanies this distribution, and is available
+* at the URL "http://www.eclipse.org/legal/epl-v10.html".
+*
+* Initial Contributors:
+* Nokia Corporation - initial contribution.
+*
+* Contributors:
+*
+* Description: 
+* TPKIXConstraint and TPKIXPolicyConstraint implementations
+*
+*/
+
+
+
+
+/**
+ @file 
+ @internalTechnology
+*/
+ 
+#if !defined (__PKIXCONS_H__)
+#define __PKIXCONS_H__
+
+#include <e32std.h>
+#include <x509cert.h>
+#include <x509certchain.h>
+#include <x509certext.h>
+#include <x509gn.h>
+#include <pkixcertchain.h>
+#include "pkixcertstate.h"
+
+class TPKIXConstraint
+	{
+protected:
+	TPKIXConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
+	void Remove(CArrayPtrFlat<CX509CertExtension>& aCriticalExtensions, const TDesC& aOID);
+	CPKIXValidationState& iState;
+	CPKIXValidationResultBase& iResult;
+	};
+
+/*
+Certificate policies are processed in the following way:
+
+Inputs:
+------
+user-constrained policy set: set of policies deemed acceptable to client of PKIXCert (relying party)
+
+Variables:
+---------
+UP: user-constrained-policy set: initialised by user, or set to empty (='any-policy', since empty is not a sensible value)
+AP: authority-constrained policy set: set of policies deemed acceptable to issuing authority, initialised to 'any-policy'
+MP: mapped policy set: set of mapped policies, initialised to empty
+explicit policy:	integer indicating position of first certificate in path where explicit policy ID is required.
+					intialised to n+1 where n=length of chain
+policy mapping:		integer indicating position of last certificate in path where policy mapping is allowed
+					intialised to n+1 where n=length of chain
+
+Processing:
+----------
+For each certificate in chain, where certificate is at i in the chain (root being 1, ee cert being n):
+
+-if explicit policy <= i, a policy ID in cert shall be in UP
+-if policy mapping <= i, policy may not be mapped
+-if the cert doesn't contain a policy extension, then:
+	-if AP = any, AP is unchanged
+	-else AP is set to empty
+-if the cert contains a policy extension then 
+	-AP is set to the intersection of AP and CP
+	-any mapped policies occurring in CP are added to AP
+
+-if we can do mapping, then
+	-if AP = any then 
+		-all the 'subject' policies are added to MP
+		-for all mapped policies, if the 'issuer' policy is in UP then the 'subject' policy is added to UP
+	-if AP != any then
+		-for all mapped policies, 
+			-if the issuer policy is in AP then
+				-the subject policy is added to MP
+				-if the issuer policy is in UP then the subject policy is added to UP
+
+At the end of the chain,
+-if UP = any then we pass
+-if UP != any then 
+	-if AP = any then we fail
+	-otherwise we intersect AP and UP; if the result is empty then we fail
+
+It is not entirely clear that this is a faithful implementation of the algorithm described in RFC 2459 
+section 6.1, because the spec is a little ambiguous here. Additionally, this section of the spec is 
+currently undergoing revision (true as of 12 April 2000). So when it's finished being revised, the code
+here should be revised to reflect the spec.
+
+However, for the test vectors that I have at this time this appears to give sensible results.
+
+*/
+
+class TPKIXPolicyConstraint : public TPKIXConstraint
+	{
+public:
+	TPKIXPolicyConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
+	void CheckCertPoliciesL(const CX509Certificate& aCert);
+	void UpdatePolicyConstraintsL(const CX509Certificate& aCert);
+	void FinishPolicyCheckL();
+private:
+	void IntersectCertPoliciesL(const CX509CertPoliciesExt& aPolicyExt);
+	void UpdateConstraint(const TX509PolicyConstraint& aConstraint, TInt& aCountdown);
+	CArrayPtrFlat<CX509CertPolicyInfo>* IntersectionLC(	const CArrayPtrFlat<CX509CertPolicyInfo>& aFirst,
+														const CArrayPtrFlat<CX509CertPolicyInfo>& aSecond);
+	TBool PolicyIsPresentL(	const CArrayPtrFlat<CX509CertPolicyInfo>& aPolicies, 
+							const CArrayPtr<HBufC>& aAcceptablePolicies);
+	static void CleanupPolicyInfoArray(TAny* aPolicies);
+	};
+
+class TPKIXNameConstraint : public TPKIXConstraint
+	{
+public:
+	TPKIXNameConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
+	void CheckNameConstraintsL(	const CX509Certificate& aCert);
+	void UpdateNameConstraintsL(const CX509Certificate& aCert);
+private:
+	TBool NameIsPresentL(const CX500DistinguishedName& aSubject,
+						const CArrayPtrFlat<CX500DistinguishedName>& aSubtrees);
+	TBool NameIsPresent(const CX509DomainName& aSubject,
+						const CArrayPtrFlat<CX509DomainName>& aSubtrees);
+	TBool NameIsPresent(const CX509IPAddress& aSubject,
+						const CArrayPtrFlat<CX509IPSubnetMask>& aSubtrees);
+	};
+
+class TPKIXBasicConstraint : public TPKIXConstraint
+	{
+public:
+	TPKIXBasicConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
+	void CheckCertSubjectTypeL(const CX509Certificate& aCert);
+	void UpdatePathLengthConstraintsL(const CX509Certificate& aCert);
+private:
+	};
+
+class TPKIXKeyUsageConstraint : public TPKIXConstraint
+	{
+public:
+	TPKIXKeyUsageConstraint(CPKIXValidationState& aState, CPKIXValidationResultBase& aResult);
+	void CheckKeyUsageL(const CX509Certificate& aCert);
+private:
+	};
+
+#endif