1 /*

     2 * Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies).

     3 * All rights reserved.

     4 * This component and the accompanying materials are made available

     5 * under the terms of the License "Eclipse Public License v1.0"

     6 * which accompanies this distribution, and is available

     7 * at the URL "http://www.eclipse.org/legal/epl-v10.html".

     8 *

     9 * Initial Contributors:

    10 * Nokia Corporation - initial contribution.

    11 *

    12 * Contributors:

    13 *

    14 * Description: 

    15 * Developer mode certificate constraints implementation.

    16 *

    17 */

    18 

    19 

    20 /**

    21  @file 

    22  @released

    23  @internalTechnology

    24 */

    25 

    26 #include "certchainconstraints.h"

    27 #include "x509constraintext.h"

    28 #include <x509certext.h>

    29 //#include "log.h"

    30 

    31 using namespace Swi;

    32 

    33 //

    34 //  CCertChainConstraints methods.

    35 //

    36 

    37 EXPORT_C CCertChainConstraints* CCertChainConstraints::NewL(RPointerArray<CPKIXCertChainBase>& aValidCerts)

    38 	{

    39 	CCertChainConstraints* self = CCertChainConstraints::NewLC(aValidCerts);

    40 	CleanupStack::Pop(self);

    41 	return self;	

    42 	}

    43 	

    44 EXPORT_C CCertChainConstraints* CCertChainConstraints::NewLC(RPointerArray<CPKIXCertChainBase>& aValidCerts)

    45 	{

    46 	CCertChainConstraints* self = new(ELeave) CCertChainConstraints();

    47 	CleanupStack::PushL(self);

    48 	self->ConstructL(aValidCerts);

    49 	return self;	

    50 	}

    51 

    52 EXPORT_C CCertChainConstraints* CCertChainConstraints::NewL()

    53 	{

    54 	CCertChainConstraints* self = new(ELeave) CCertChainConstraints();

    55 	return self;	

    56 	}

    57 	

    58 CCertChainConstraints::~CCertChainConstraints()

    59 	{

    60 	//Release the resources

    61 	iValidSIDs.Close();

    62 	iValidVIDs.Close();

    63 	iValidDeviceIDs.ResetAndDestroy();

    64 	}

    65 	

    66 EXPORT_C TBool CCertChainConstraints::SIDIsValid(TSecureId aRequestSID) const

    67 	{

    68 	TBool ret=ETrue;

    69 	if (iSIDsAreConstrained && (aRequestSID.iId & 0x80000000)==0 && KErrNotFound==iValidSIDs.Find(aRequestSID))

    70 		{

    71 		ret=EFalse;			

    72 		}

    73 	return ret;

    74 	}

    75 	

    76 EXPORT_C TBool CCertChainConstraints::VIDIsValid(TVendorId aRequestVID) const

    77 	{

    78 	TBool ret=ETrue;

    79 	if (iVIDsAreConstrained && aRequestVID!=0 && KErrNotFound==iValidVIDs.Find(aRequestVID))

    80 		{

    81 		ret=EFalse;		

    82 		}

    83 	return ret;	

    84 	}

    85 

    86 EXPORT_C TBool CCertChainConstraints::CapabilitiesAreValid(TCapabilitySet& aRequestCapabilities) const

    87 	{

    88 	return iValidCapabilities.HasCapabilities(aRequestCapabilities);

    89 	}

    90 	

    91 EXPORT_C TBool CCertChainConstraints::DeviceIDIsValid(const HBufC* aRequestDeviceID) const

    92 	{

    93 	TBool ret=EFalse;

    94 	if (iDeviceIDsAreConstrained)

    95 		{

    96 		TInt deviceIDCount=iValidDeviceIDs.Count();

    97 		//Check if request Device ID is in the valid device ID list

    98 		for(TInt i=0; i<deviceIDCount; i++)

    99 			{

   100 			if (iValidDeviceIDs[i]->CompareF(*aRequestDeviceID)==0)

   101 				{

   102 				ret=ETrue;

   103 				break;

   104 				}

   105 			}		

   106 		}

   107 	else

   108 		{

   109 		//No constaints on Device ID at all

   110 		ret=ETrue;				

   111 		}

   112 	return ret;		

   113 	}

   114 

   115 EXPORT_C TBool CCertChainConstraints::SIDsAreConstrained() const

   116 	{

   117 	return iSIDsAreConstrained;

   118 	}

   119 	

   120 EXPORT_C TBool CCertChainConstraints::VIDsAreConstrained() const

   121 	{

   122 	return iVIDsAreConstrained; 

   123 	}

   124 	

   125 EXPORT_C TBool CCertChainConstraints::DeviceIDsAreConstrained() const

   126 	{

   127 	return iDeviceIDsAreConstrained; 

   128 	}

   129 	

   130 EXPORT_C TBool CCertChainConstraints::CapabilitiesAreConstrained() const

   131 	{

   132 	return iCapabilitiesAreConstrained;		

   133 	}

   134 	

   135 EXPORT_C const TCapabilitySet& CCertChainConstraints::ValidCapabilities() const

   136 	{

   137 	return iValidCapabilities;

   138 	}

   139 

   140 EXPORT_C void CCertChainConstraints::SetValidCapabilities(const TCapabilitySet& aValidCapabilities)

   141 	{

   142 	iValidCapabilities=aValidCapabilities;

   143 	}

   144 	

   145 CCertChainConstraints::CCertChainConstraints()

   146 	{

   147 	//Pre-initialise the valid Capability to all capability supported	

   148 	iValidCapabilities.SetAllSupported();

   149 	}

   150 

   151 void CCertChainConstraints::ConstructL(RPointerArray<CPKIXCertChainBase>& aValidCerts)

   152 	{

   153 	//Get the Cert Chain count

   154 	TInt certChainCount=aValidCerts.Count();

   155 	

   156 	//Go through the certificate chains

   157 	for(TInt i=0; i<certChainCount; i++)

   158 		{

   159 		TInt certCount=aValidCerts[i]->Count();

   160 		//Go through the certificate in one certificate chain

   161 		for (TInt j=0; j<certCount; j++)

   162 			{

   163 			const CX509Certificate& validCert=aValidCerts[i]->Cert(j);

   164 			

   165 			//Retrieve the DeviceIDs and build the list

   166 			RetrieveExtensionDeviceIDListL(validCert);

   167 			

   168 			//Retrieve the Capabilities and build capability constraints

   169 			RetrieveExtensionCapabilitySetL(validCert);

   170 			

   171 			//Retrieve the SIDs and build the list

   172 			RetrieveExtensionSIDListL(validCert);

   173 			

   174 			//Retrieve the VIDs and build the list

   175 			RetrieveExtensionVIDListL(validCert);

   176 			}

   177 		}

   178 	}

   179 

   180 void CCertChainConstraints::RetrieveExtensionCapabilitySetL(const CX509Certificate& aCert)

   181 	{

   182 	const CX509CertExtension* certExt = aCert.Extension(KCapabilitiesConstraint);

   183 	if (certExt)

   184 		{

   185         CX509CapabilitySetExt* capSetExt=CX509CapabilitySetExt::NewL(certExt->Data());

   186 		iValidCapabilities.Intersection(capSetExt->CapabilitySet());

   187 		delete capSetExt;

   188 		iCapabilitiesAreConstrained=ETrue;

   189 		}

   190 	}

   191 

   192 TBool CompareInstance(const HBufC& aFirst, const HBufC& aSecond)

   193 	{

   194 	return (aFirst.CompareF(aSecond) == 0);

   195 	}

   196 

   197 void CCertChainConstraints::RetrieveExtensionDeviceIDListL(const CX509Certificate& aCert)

   198 	{

   199 	if (!iDeviceIDsAreConstrained || (iDeviceIDsAreConstrained && iValidDeviceIDs.Count()>0))

   200 		{

   201 		const CX509CertExtension* certExt = aCert.Extension(KDeviceIdListConstraint);

   202 		if (certExt)

   203 			{

   204 			CX509Utf8StringListExt* deviceIdExt=CX509Utf8StringListExt::NewLC(certExt->Data());

   205 			const RPointerArray<HBufC>& buf=deviceIdExt->StringArray();

   206 			// iValidDeviceIDs intersect the constrained Device ID set in the certificate

   207 			if (!iDeviceIDsAreConstrained)

   208 				{

   209 				TInt count=buf.Count();

   210 				for (TInt i=0;i<count;i++)

   211 					{

   212 					HBufC* temp=buf[i]->AllocLC();

   213 					iValidDeviceIDs.AppendL(temp);

   214 					CleanupStack::Pop(temp);

   215 					}

   216 				iDeviceIDsAreConstrained=ETrue;					

   217 				}

   218 			else

   219 				{

   220 				for (TInt k=iValidDeviceIDs.Count()-1;k>=0;k--)

   221 					{

   222 					if(KErrNotFound==buf.Find(iValidDeviceIDs[k],TIdentityRelation<HBufC>(CompareInstance)))

   223 						{

   224 						HBufC* temp=iValidDeviceIDs[k];

   225 						iValidDeviceIDs.Remove(k);

   226 						delete temp;

   227 						}					

   228 					}

   229 				}

   230 			CleanupStack::PopAndDestroy(deviceIdExt);

   231 			}

   232 		}	

   233 	}

   234 

   235 void CCertChainConstraints::RetrieveExtensionSIDListL(const CX509Certificate& aCert)

   236 	{

   237 	if (!iSIDsAreConstrained || (iSIDsAreConstrained &&  iValidSIDs.Count()>0))

   238 		{

   239 		const CX509CertExtension* certExt=aCert.Extension(KSidListConstraint);

   240 		if (certExt)

   241 			{

   242 			CX509IntListExt* intExt=CX509IntListExt::NewLC(certExt->Data());

   243 			const RArray<TInt>& sidList=intExt->IntArray();

   244 			// iValidSIDs intersect the constrained sid set in the certificate

   245 			if (!iSIDsAreConstrained)

   246 				{

   247 				TInt count=sidList.Count();

   248 				for (TInt i=0;i<count;i++)

   249 					{

   250 					iValidSIDs.AppendL(TSecureId(sidList[i]));

   251 					}

   252 				iSIDsAreConstrained=ETrue;						

   253 				}

   254 			else

   255 				{

   256 				for (TInt k=iValidSIDs.Count()-1;k>=0;k--)

   257 					{

   258 					if (sidList.Find(iValidSIDs[k].iId)==KErrNotFound)

   259 						{

   260 						iValidSIDs.Remove(k);

   261 						}						

   262 					}										

   263 				}

   264 			CleanupStack::PopAndDestroy(intExt);

   265 			}				

   266 		}

   267 	}

   268 

   269 void CCertChainConstraints::RetrieveExtensionVIDListL(const CX509Certificate& aCert)

   270 	{

   271 	if (!iVIDsAreConstrained || (iVIDsAreConstrained &&  iValidVIDs.Count()>0))

   272 		{

   273 		const CX509CertExtension* certExt=aCert.Extension(KVidListConstraint);

   274 		if (certExt)

   275 			{

   276 			CX509IntListExt* intExt=CX509IntListExt::NewLC(certExt->Data());

   277 			const RArray<TInt>& vidList=intExt->IntArray();

   278 			// iValidVIDs intersect the constrained vid set in the certificate

   279 			if (!iVIDsAreConstrained)

   280 				{

   281 				TInt count=vidList.Count();

   282 				for (TInt i=0;i<count;i++)

   283 					{

   284 					iValidVIDs.AppendL(TVendorId(vidList[i]));

   285 					}

   286 				iVIDsAreConstrained=ETrue;

   287 				}

   288 			else

   289 				{

   290 				for (TInt k=iValidVIDs.Count()-1;k>=0;k--)

   291 					{

   292 					if (vidList.Find(iValidVIDs[k].iId)==KErrNotFound)

   293 						{

   294 						iValidVIDs.Remove(k);

   295 						}						

   296 					}					

   297 				}

   298 			CleanupStack::PopAndDestroy(intExt);

   299 			}			

   300 		}

   301 	}

   302