cryptomgmtlibs/securitydocs/ocsp.txt
author Shabe Razvi <shaber@symbian.org>
Wed, 14 Oct 2009 16:25:57 +0100
changeset 12 46545a826031
parent 8 35751d3474b7
permissions -rw-r--r--
Added tag PDK_3.0.a for changeset 9d767430696e

How to use OSCP
===============

Note: The actual code snippets are indented.

Include ocsp.h in your header file.

	#include <ocsp.h>

Link your project with ocsp.lib: add the following string to your project's .mmp
file:

	LIBRARY ocsp.lib

Add the following to your class declaration, which should be derived from
CActive:

	COcspClient* iOcspClient;

You will need to know revocation server URI. It is possible to get it from
installer preferences. Most Software Install components accept the URI as a
construction parameter. This is because they are started by the UI which stores
preferences in its resource file. If you want to retrieve it yourself, you can
use the following code (taken from InstallEngineImpl.cpp):

	//	Open instapp's ini file
	static CDictionaryStore* OpenIniFileLC(RFs& aFs)
		{
		CApaAppFinder* appFinder=CApaScanningAppFinder::NewL(aFs);
		CleanupStack::PushL(appFinder);
		TUid instAppUid={KUidInstallAppValue};
		TFileName libName=appFinder->FindAppL(KInstallAppName,instAppUid);
		CleanupStack::PopAndDestroy(appFinder); 
		TParse parser;
		User::LeaveIfError(parser.SetNoWild(KIniFileExtension,&KInstAppDriveC(),
			&libName));
		aFs.MkDirAll(parser.FullName()); // ignore the error
		CDictionaryFileStore* dict = CDictionaryFileStore::OpenLC(aFs,
			parser.FullName(),instAppUid);
		return dict;
		}

	// get preferences from ini file
	{
	RFs fs;
	User::LeaveIfError(fs.Connect());
	CleanupClosePushL(fs);
	CDictionaryStore* iniFile=OpenIniFileLC(fs); // see above
	User::LeaveIfNull(iniFile);
	RDictionaryReadStream readStream;
	readStream.OpenLC(*iniFile,KUidInstallPrefs);
	TInstallPrefs prefs; // this is what you need
	TRAPD(ret,readStream >> prefs);   // will return KErrEof first time
	CleanupStack::PopAndDestroy(2); //readStream, iniFile
	CleanupStack::Pop(); // fs 
	fs.Close();
	}

If at any time you want to cancel OCSP check, call

	iOcspClient->CancelCheck();

When ready to perform the check (the certificate chain is built), use the
following code as a template (from JavaInstallerSecurityManager.cpp):

	COCSPParameters* params = COCSPParameters::NewLC();
	params->SetURIL(*iOCSPServerURI, ETrue);
	params->AddCertificatesL(*iCertChain);
	
	// Set up authorisation scheme - we've a special UID registered with the
	// certStore for the appropriate certificates
	COCSPDirectAuthorisationScheme* scheme = 
		COCSPDirectAuthorisationScheme::NewLC(
		TUid::Uid(KCertStoreUIDForSWInstallOCSPSigning));
	params->AddAuthorisationSchemeL(scheme);
	CleanupStack::Pop(scheme);
   		
	// Won't set validation time - this uses the response producedAt time
	// instead. This avoids us relying on an accurate time in the device.
	// Caching of old responses avoided by use of the nonce.

	iOcspClient = COcspClient::NewL(params);
	CleanupStack::Pop(params);
	iOcspClient->Check(iStatus);

When the request completes and your class's RunL() is called, use the following
function template to process the result:

	TBool accept = ETrue;
	switch (iStatus.Int())
		{
		case OCSP::KErrNoCertificates:
			// No certs in OCSP request - no proper cert chain formed.
			// Covered by check digital sig logic already, so we let it pass.
			break;
		case KErrNone:
		    {
			// Check the outcome of every transaction made
			for (TInt index = 0; 
				accept && index < iOcspClient->TransactionCount(); 
				++index)
				{
				const TOCSPOutcome& outcome = iOcspClient->Outcome(index);

				// We have the OCSP response.  Interpret it, asking the user
				// what questions we need to.  Return determines whether we
				// continue the install
				switch (outcome.iStatus)
					{
					case OCSP::ETransportError:
					case OCSP::EClientInternalError:
					case OCSP::EMalformedRequest:
					case OCSP::EServerInternalError:
					case OCSP::ETryLater:
					case OCSP::ESignatureRequired:
					case OCSP::EClientUnauthorised:
					case OCSP::EUnknownResponseType:
						// Error: unable to obtain certificate status
						break;
					case OCSP::ENoServerSpecified:
					case OCSP::EInvalidURI:
						// Error: invalid revocation server URI
						break;
					case OCSP::EResponseSignatureValidationFailure:
						// Error: response signature validation failed
						break;
					case OCSP::EThisUpdateTooLate:
					case OCSP::EThisUpdateTooEarly:
					case OCSP::ENextUpdateTooEarly:
					case OCSP::ENonceMismatch:
					case OCSP::EMalformedResponse:
					case OCSP::EUnknownCriticalExtension:
					case OCSP::EMissingCertificates:
						// Error: invalid server response
						break;
					case OCSP::EMissingNonce:
						// Error: missing nonce
						break;
					case OCSP::ECertificateNotValidAtValidationTime:
						// Error: invalid certificate status information
						break;
					case OCSP::EValid:
						switch(outcome.iResult)
							{
							case OCSP::EGood:
								accept = ETrue;
								break;
							case OCSP::EUnknown:
								// ask user
								break;
							case OCSP::ERevoked:
								// ask user
								break;
							default:
								ASSERT(EFalse);
							}
						break;
					default:
						ASSERT(EFalse);
						break;
					}
				}	
			break;
			}
		default:
			// Error: cannot obtain certificate status, ask user
			break;
		}

	delete iOcspClient;
	iOcspClient = NULL;

OCSP check can take a long time. Therefore it is a good thing to display a
status dialog for the user telling her that OCSP check is in progress and
allowing her to cancel it. Both SIS and Java installers delegate this function
to their respective UI handlers.