|
1 /* |
|
2 * Copyright (c) 2002-2008 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: OCSP response classes |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 #ifndef __ROAPOCSP_H__ |
|
20 #define __ROAPOCSP_H__ |
|
21 |
|
22 #include <e32base.h> |
|
23 #include <signed.h> |
|
24 #include <f32file.h> |
|
25 |
|
26 static const TInt KOCSPNonceBytes( 16 ); |
|
27 |
|
28 class COCSPResponseCertInfo; |
|
29 class COCSPCertID; |
|
30 class COCSPResponse; |
|
31 class COCSPResponseDecoder; |
|
32 |
|
33 class CASN1EncBase; |
|
34 class CASN1EncContainer; |
|
35 class TASN1DecGeneric; |
|
36 |
|
37 class CX509Certificate; |
|
38 class CX509CertChain; |
|
39 class CPKIXCertChain; |
|
40 |
|
41 // Enums placed in OCSP namespace |
|
42 namespace OCSP |
|
43 { |
|
44 // Globally-reserved error codes - range is -7601 to -7649 |
|
45 enum |
|
46 { |
|
47 KErrTransportFailure = -7601, |
|
48 KErrInvalidURI = -7602, |
|
49 KErrNoCertificates = -7603 |
|
50 }; |
|
51 |
|
52 // What we think of the response, or why we haven't got one |
|
53 enum TStatus |
|
54 { |
|
55 // Error in communication with server |
|
56 ETransportError = 1, |
|
57 |
|
58 // Internal problem processing response |
|
59 EClientInternalError = 2, |
|
60 |
|
61 // No OCSP server specified |
|
62 ENoServerSpecified = 3, |
|
63 |
|
64 // Invalid sever URI |
|
65 EInvalidURI = 4, |
|
66 |
|
67 // Problems understanding the response |
|
68 EMalformedResponse = 10, |
|
69 EUnknownResponseType = 11, |
|
70 EUnknownCriticalExtension = 12, |
|
71 |
|
72 // Unsuccessful responses from server |
|
73 EMalformedRequest = 20, |
|
74 EServerInternalError = 21, |
|
75 ETryLater = 22, |
|
76 ESignatureRequired = 23, |
|
77 EClientUnauthorised = 24, |
|
78 |
|
79 // Response validation failures |
|
80 EMissingCertificates = 30, |
|
81 EResponseSignatureValidationFailure = 31, |
|
82 |
|
83 // Time problems |
|
84 EThisUpdateTooLate = 40, |
|
85 EThisUpdateTooEarly = 41, |
|
86 ENextUpdateTooEarly = 42, |
|
87 ECertificateNotValidAtValidationTime = 43, |
|
88 |
|
89 // Nonce error |
|
90 ENonceMismatch = 50, |
|
91 |
|
92 // Response sufficiently valid to use - clients to decide if |
|
93 // missing nonce is sufficiently serious to require rejection |
|
94 EMissingNonce = 51, |
|
95 |
|
96 EValid = 100, |
|
97 }; |
|
98 |
|
99 // What does the response say about the certificates? |
|
100 // IMPORTANT: Do not change the order these are in |
|
101 enum TResult |
|
102 { |
|
103 EGood = 10, EUnknown = 20, ERevoked = 30 |
|
104 }; |
|
105 } |
|
106 |
|
107 /** |
|
108 * Information about a certificate sent as part of an OCSP request. |
|
109 */ |
|
110 |
|
111 NONSHARABLE_CLASS( COCSPRequestCertInfo ) : public CBase |
|
112 { |
|
113 public: |
|
114 |
|
115 /** |
|
116 * Get the certificate present in the request. |
|
117 */ |
|
118 |
|
119 const CX509Certificate& Subject() const; |
|
120 |
|
121 /** |
|
122 * Get the issuer of the certificate present in the request. |
|
123 */ |
|
124 |
|
125 const CX509Certificate& Issuer() const; |
|
126 |
|
127 public: |
|
128 |
|
129 // Not exported |
|
130 static COCSPRequestCertInfo* NewLC( |
|
131 const CX509Certificate& aSubject, |
|
132 const CX509Certificate& aIssuer ); |
|
133 |
|
134 ~COCSPRequestCertInfo(); |
|
135 |
|
136 const COCSPCertID& CertID() const; |
|
137 |
|
138 private: |
|
139 |
|
140 COCSPRequestCertInfo( const CX509Certificate& aIssuer, |
|
141 const CX509Certificate& aSubject ); |
|
142 void ConstructL(); |
|
143 |
|
144 private: |
|
145 |
|
146 const CX509Certificate& iSubject; |
|
147 const CX509Certificate& iIssuer; |
|
148 COCSPCertID* iCertID; |
|
149 }; |
|
150 |
|
151 /** |
|
152 * Represents an OCSP protocol response. |
|
153 */ |
|
154 |
|
155 NONSHARABLE_CLASS( COCSPResponse ) : public CSignedObject |
|
156 { |
|
157 public: |
|
158 |
|
159 /** |
|
160 * Get the number of certificates statuses present in the response. |
|
161 */ |
|
162 |
|
163 TInt CertCount() const; |
|
164 |
|
165 /** |
|
166 * Get a COCSPResponseCertInfo object containing details about one of the |
|
167 * certificate statuses present in the response. |
|
168 */ |
|
169 |
|
170 COCSPResponseCertInfo* CertInfo( TUint aIndex ) const; |
|
171 |
|
172 /** |
|
173 * Get the producedAt time for the response. |
|
174 */ |
|
175 |
|
176 TTime ProducedAt() const; |
|
177 |
|
178 /** |
|
179 * Get the archiveCutoff time for the response, or NULL if it was not present. |
|
180 */ |
|
181 |
|
182 const TTime* ArchiveCutoff() const; |
|
183 |
|
184 const TPtrC8* SigningCerts() const; |
|
185 |
|
186 public: |
|
187 |
|
188 // This class is created and initialised by the response decoder |
|
189 friend class COCSPResponseDecoder; |
|
190 |
|
191 ~COCSPResponse(); |
|
192 |
|
193 /** |
|
194 * Get the index for the given cert, or KErrNotFound. |
|
195 */ |
|
196 |
|
197 TInt Find( const COCSPCertID& aCertID ) const; |
|
198 |
|
199 // Enums to use in DataElementEncoding |
|
200 enum |
|
201 { |
|
202 ECertificateChain, |
|
203 ENonce, |
|
204 EResponderIDName, // Only one of the ResponderIDs won't be NULL |
|
205 EResponderIDKeyHash |
|
206 }; |
|
207 |
|
208 // From CSignedObject |
|
209 const TPtrC8* DataElementEncoding( const TUint aIndex ) const; |
|
210 |
|
211 private: |
|
212 |
|
213 COCSPResponse(); |
|
214 |
|
215 // From CSignedObject |
|
216 const TPtrC8 SignedDataL() const; |
|
217 void InternalizeL( RReadStream& aStream ); |
|
218 |
|
219 private: |
|
220 |
|
221 // Time of response, and of archiveCutoff extension (if present) |
|
222 TTime iProducedAt; |
|
223 TTime* iArchiveCutoff; |
|
224 |
|
225 // Value of nonce in response extension (if present) |
|
226 TPtrC8 iNonce; |
|
227 |
|
228 // Point to the signing certificates in the response |
|
229 TPtrC8 iSigningCerts; |
|
230 |
|
231 // Point to the signed portion of the data |
|
232 TPtrC8 iSignedData; |
|
233 |
|
234 // There are two ways the responder ID can be specified - only |
|
235 // one of these will be used |
|
236 TPtrC8 iResponderIDName; |
|
237 TPtrC8 iResponderIDKeyHash; |
|
238 |
|
239 RPointerArray<COCSPResponseCertInfo> iCertInfos; |
|
240 }; |
|
241 |
|
242 /** |
|
243 * Information about a certificate status, as given in OCSP response |
|
244 * singleResponse data item. |
|
245 */ |
|
246 |
|
247 NONSHARABLE_CLASS( COCSPResponseCertInfo ) : public CBase |
|
248 { |
|
249 public: |
|
250 |
|
251 OCSP::TResult Status() const; |
|
252 TTime ThisUpdate() const; |
|
253 const TTime* NextUpdate() const; // NULL if nextUpdate not set |
|
254 const TTime* RevocationTime() const; // NULL if not revoked |
|
255 |
|
256 public: |
|
257 |
|
258 static COCSPResponseCertInfo* NewLC( CArrayPtr<TASN1DecGeneric>& items ); |
|
259 ~COCSPResponseCertInfo(); |
|
260 COCSPCertID* CertID() const; |
|
261 |
|
262 private: |
|
263 void ConstructL( CArrayPtr<TASN1DecGeneric>& items ); |
|
264 |
|
265 private: |
|
266 OCSP::TResult iStatus; |
|
267 |
|
268 TTime iThisUpdate; |
|
269 TTime* iNextUpdate; |
|
270 TTime* iRevocationTime; |
|
271 |
|
272 COCSPCertID* iCertID; |
|
273 }; |
|
274 |
|
275 #endif // __ROAPOCSP_H__ |