|
1 // Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
2 // All rights reserved. |
|
3 // This component and the accompanying materials are made available |
|
4 // under the terms of "Eclipse Public License v1.0" |
|
5 // which accompanies this distribution, and is available |
|
6 // at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
7 // |
|
8 // Initial Contributors: |
|
9 // Nokia Corporation - initial contribution. |
|
10 // |
|
11 // Contributors: |
|
12 // |
|
13 // Description: |
|
14 // ocsp.h |
|
15 // Header specifying client interface to the OCSP module. |
|
16 // |
|
17 // |
|
18 |
|
19 #ifndef OCSPREQUESTANDRESPONSE_H |
|
20 #define OCSPREQUESTANDRESPONSE_H |
|
21 |
|
22 /** |
|
23 * @file |
|
24 * @internalTechnology |
|
25 */ |
|
26 |
|
27 #include <e32base.h> |
|
28 #include <signed.h> |
|
29 #include <f32file.h> |
|
30 #include <hash.h> |
|
31 #include <x500dn.h> |
|
32 #include <x509cert.h> |
|
33 #include <ct/rmpointerarray.h> |
|
34 #include <cctcertinfo.h> |
|
35 #include <asn1enc.h> |
|
36 #include <asn1dec.h> |
|
37 |
|
38 #ifdef SYMBIAN_ENABLE_SPLIT_HEADERS |
|
39 #include "ocsp.h" |
|
40 #endif |
|
41 |
|
42 #define KOCSPNonceBytes 16 |
|
43 |
|
44 // Default values for transport parameters |
|
45 const TUint KTransportDefaultRequestRetryCount = 1; // No retry |
|
46 const TInt KTransportDefaultRequestTimeout = -1; // Timeout disabled |
|
47 |
|
48 class COCSPRequestCertInfo; |
|
49 class COCSPResponseCertInfo; |
|
50 class COCSPCertID; |
|
51 class MOCSPTransport; |
|
52 class COCSPResponse; |
|
53 class COCSPTransportHandler; |
|
54 class MOCSPAuthorisationScheme; |
|
55 class COCSPTransaction; |
|
56 class COCSPValidator; |
|
57 class COCSPRequestCertInfo; |
|
58 class COCSPResponseDecoder; |
|
59 |
|
60 class CASN1EncBase; |
|
61 class CASN1EncContainer; |
|
62 class TASN1DecGeneric; |
|
63 |
|
64 class CX509Certificate; |
|
65 class CX509CertChain; |
|
66 class CPKIXCertChainBase; |
|
67 class COCSPParameters; |
|
68 |
|
69 |
|
70 /** |
|
71 * Represents an OCSP protocol request. |
|
72 */ |
|
73 |
|
74 class COCSPRequest : public CBase |
|
75 { |
|
76 public: |
|
77 |
|
78 /** |
|
79 * Get the nonce used in the request. Returns NULL if a nonce was not used. |
|
80 */ |
|
81 |
|
82 IMPORT_C const TDesC8* Nonce() const; |
|
83 |
|
84 /** |
|
85 * Get the number of certificates used in a response |
|
86 */ |
|
87 |
|
88 IMPORT_C TInt CertCount() const; |
|
89 |
|
90 /** |
|
91 * Get a COCSPRequestCertInfo object containing details about one of the |
|
92 * certificates present in the request. |
|
93 */ |
|
94 |
|
95 IMPORT_C const COCSPRequestCertInfo& CertInfo(TUint aIndex) const; |
|
96 |
|
97 public: |
|
98 |
|
99 // Not exported |
|
100 static COCSPRequest* NewLC(TBool aUseNonce); |
|
101 static COCSPRequest* NewL(TBool aUseNonce); |
|
102 |
|
103 ~COCSPRequest(); |
|
104 void AddCertificateL(const CX509Certificate& aSubject, |
|
105 const CX509Certificate& aIssuer); |
|
106 |
|
107 private: |
|
108 |
|
109 COCSPRequest(); |
|
110 void ConstructL(TBool aUseNonce); |
|
111 |
|
112 HBufC8* iNonce; |
|
113 RPointerArray<const COCSPRequestCertInfo> iCertInfos; |
|
114 }; |
|
115 |
|
116 /** |
|
117 * Information about a certificate sent as part of an OCSP request. |
|
118 */ |
|
119 |
|
120 class COCSPRequestCertInfo : public CBase |
|
121 { |
|
122 public: |
|
123 |
|
124 /** |
|
125 * Get the certificate present in the request. |
|
126 */ |
|
127 |
|
128 IMPORT_C const CX509Certificate& Subject() const; |
|
129 |
|
130 /** |
|
131 * Get the issuer of the certificate present in the request. |
|
132 */ |
|
133 |
|
134 IMPORT_C const CX509Certificate& Issuer() const; |
|
135 |
|
136 public: |
|
137 |
|
138 // Not exported |
|
139 static COCSPRequestCertInfo* NewLC( |
|
140 const CX509Certificate& aSubject, |
|
141 const CX509Certificate& aIssuer); |
|
142 |
|
143 ~COCSPRequestCertInfo(); |
|
144 |
|
145 const COCSPCertID& CertID() const; |
|
146 |
|
147 private: |
|
148 |
|
149 COCSPRequestCertInfo(const CX509Certificate& aIssuer, |
|
150 const CX509Certificate& aSubject); |
|
151 void ConstructL(); |
|
152 |
|
153 private: |
|
154 |
|
155 const CX509Certificate& iSubject; |
|
156 const CX509Certificate& iIssuer; |
|
157 COCSPCertID* iCertID; |
|
158 }; |
|
159 |
|
160 |
|
161 /** |
|
162 * Represents an OCSP protocol response. |
|
163 */ |
|
164 |
|
165 class COCSPResponse : public CSignedObject |
|
166 { |
|
167 public: |
|
168 |
|
169 /** |
|
170 * Get the number of certificates statuses present in the response. |
|
171 */ |
|
172 |
|
173 IMPORT_C TInt CertCount() const; |
|
174 |
|
175 /** |
|
176 * Get a COCSPResponseCertInfo object containing details about one of the |
|
177 * certificate statuses present in the response. |
|
178 */ |
|
179 |
|
180 IMPORT_C const COCSPResponseCertInfo& CertInfo(TUint aIndex) const; |
|
181 |
|
182 /** |
|
183 * Get the producedAt time for the response. |
|
184 */ |
|
185 |
|
186 IMPORT_C TTime ProducedAt() const; |
|
187 |
|
188 /** |
|
189 * Get the archiveCutoff time for the response, or NULL if it was not present. |
|
190 */ |
|
191 |
|
192 IMPORT_C const TTime* ArchiveCutoff() const; |
|
193 |
|
194 public: |
|
195 |
|
196 // This class is created and initialised by the response decoder |
|
197 friend class COCSPResponseDecoder; |
|
198 |
|
199 ~COCSPResponse(); |
|
200 |
|
201 /** |
|
202 * Get the index for the given cert, or KErrNotFound. |
|
203 */ |
|
204 |
|
205 TInt Find(const COCSPCertID& aCertID) const; |
|
206 |
|
207 // Enums to use in DataElementEncoding |
|
208 enum |
|
209 { |
|
210 ECertificateChain, |
|
211 ENonce, |
|
212 EResponderIDName, // Only one of the ResponderIDs won't be NULL |
|
213 EResponderIDKeyHash |
|
214 }; |
|
215 |
|
216 // From CSignedObject |
|
217 const TPtrC8* DataElementEncoding(const TUint aIndex) const; |
|
218 |
|
219 private: |
|
220 |
|
221 COCSPResponse(); |
|
222 |
|
223 // From CSignedObject |
|
224 const TPtrC8 SignedDataL() const; |
|
225 void InternalizeL(RReadStream& aStream); |
|
226 |
|
227 private: |
|
228 |
|
229 // Time of response, and of archiveCutoff extension (if present) |
|
230 TTime iProducedAt; |
|
231 TTime* iArchiveCutoff; |
|
232 |
|
233 // Value of nonce in response extension (if present) |
|
234 TPtrC8 iNonce; |
|
235 |
|
236 // Point to the signing certificates in the response |
|
237 TPtrC8 iSigningCerts; |
|
238 |
|
239 // Point to the signed portion of the data |
|
240 TPtrC8 iSignedData; |
|
241 |
|
242 // There are two ways the responder ID can be specified - only |
|
243 // one of these will be used |
|
244 TPtrC8 iResponderIDName; |
|
245 TPtrC8 iResponderIDKeyHash; |
|
246 |
|
247 RPointerArray<COCSPResponseCertInfo> iCertInfos; |
|
248 }; |
|
249 |
|
250 |
|
251 /** |
|
252 * Information about a certificate status, as given in OCSP response |
|
253 * singleResponse data item. |
|
254 */ |
|
255 |
|
256 class COCSPResponseCertInfo : public CBase |
|
257 { |
|
258 public: |
|
259 |
|
260 IMPORT_C OCSP::TResult Status() const; |
|
261 IMPORT_C TTime ThisUpdate() const; |
|
262 IMPORT_C const TTime* NextUpdate() const; // NULL if nextUpdate not set |
|
263 IMPORT_C const TTime* RevocationTime() const; // NULL if not revoked |
|
264 |
|
265 public: |
|
266 |
|
267 static COCSPResponseCertInfo* NewLC(CArrayPtr<TASN1DecGeneric>& aItems); |
|
268 ~COCSPResponseCertInfo(); |
|
269 COCSPCertID& CertID() const; |
|
270 |
|
271 private: |
|
272 void ConstructL(CArrayPtr<TASN1DecGeneric>& aItems); |
|
273 |
|
274 private: |
|
275 OCSP::TResult iStatus; |
|
276 |
|
277 TTime iThisUpdate; |
|
278 TTime* iNextUpdate; |
|
279 TTime* iRevocationTime; |
|
280 |
|
281 COCSPCertID* iCertID; |
|
282 }; |
|
283 |
|
284 /** |
|
285 Utility class contains functions common to all validation |
|
286 schemes. |
|
287 */ |
|
288 namespace OCSPUtils |
|
289 { |
|
290 TBool IsAIAForOCSPPresentL(const CX509Certificate& aCert); |
|
291 |
|
292 TBool DoesResponderIdMatchCertL( const COCSPResponse& aResponse, |
|
293 const CX509Certificate& aResponderCert); |
|
294 TBool DoesDNNameMatchL( const COCSPResponse& aResponse, const CX509Certificate& aCert); |
|
295 TBool DoesIssuerKeyMatchL(const COCSPResponse& aResponse, const CX509Certificate& aCert); |
|
296 TBool IsResponseSignedByCertL( COCSPResponse* aResponse, const CX509Certificate& aCert); |
|
297 TBool DoesCertHaveOCSPNoCheckExt( const CX509Certificate& aCert); |
|
298 TDesC8* ServerUriL( const CX509Certificate& aCert, const COCSPParameters* aParameters ); |
|
299 TBool IsUriAvailableL( const CX509Certificate& aCert, const COCSPParameters* aParameters ); |
|
300 TDesC8* GetAIAL(const CX509Certificate& aCert); |
|
301 TBool DoesCertHaveOCSPSigningExtL(const CX509Certificate& aCert); |
|
302 CX509Certificate* GetResponderCertLC(const TDesC8& aEncodedCerts); |
|
303 } |
|
304 |
|
305 // Base class interface for authorisation schemes, for plugging into the validator object |
|
306 class MOCSPAuthorisationScheme |
|
307 { |
|
308 public: |
|
309 virtual ~MOCSPAuthorisationScheme() {}; |
|
310 |
|
311 virtual void ValidateL( |
|
312 OCSP::TStatus& aOCSPStatus, COCSPResponse& aResponse, |
|
313 const TTime aValidationTime, TRequestStatus& aStatus, |
|
314 const COCSPRequest& aRequest) = 0; |
|
315 |
|
316 virtual void CancelValidate() = 0; |
|
317 // Returns the responder certificate. This method shall return valid responder |
|
318 // certificate for delegate and direct schemes, for the cadirect scheme although |
|
319 // the CA cert is the response cert but it returns NULL as the need for retrieving |
|
320 // this certificate is to further send it for OCSP checking, this logic is only valid |
|
321 // for delegate and direct schemes. |
|
322 virtual const CX509Certificate* ResponderCert() const = 0; |
|
323 }; |
|
324 |
|
325 |
|
326 class CPKIXValidationResultBase; |
|
327 class CCertAttributeFilter; |
|
328 class MCertStore; |
|
329 |
|
330 class COCSPDelegateAuthorisationScheme : public CActive, public MOCSPAuthorisationScheme |
|
331 /** |
|
332 Implement part of S2.2.2 of RFC 2560. |
|
333 |
|
334 "a CA Designated Responder (Authorized Responder) who holds |
|
335 a specially marked certificate issued directly by the CA, |
|
336 indicating that the responder may issue OCSP responses for |
|
337 that CA." |
|
338 */ |
|
339 { |
|
340 public: |
|
341 IMPORT_C static COCSPDelegateAuthorisationScheme* NewLC(MCertStore& aCertStore); |
|
342 virtual ~COCSPDelegateAuthorisationScheme(); |
|
343 |
|
344 virtual void ValidateL( |
|
345 OCSP::TStatus& aOCSPStatus, COCSPResponse& aResponse, |
|
346 const TTime aValidationTime, TRequestStatus& aStatus, |
|
347 const COCSPRequest& aRequest); |
|
348 |
|
349 virtual void CancelValidate(); |
|
350 const CX509Certificate* ResponderCert() const; |
|
351 |
|
352 protected: |
|
353 virtual void RunL(); |
|
354 virtual void DoCancel(); |
|
355 TInt RunError(TInt aError); |
|
356 |
|
357 private: |
|
358 COCSPDelegateAuthorisationScheme(MCertStore& aCertStore); |
|
359 void ConstructL(); |
|
360 |
|
361 void ValidateDelegateCertL(const TDesC8& aResponseCertChain, const TTime aValidationTime); |
|
362 void OnChainValidationL(); |
|
363 |
|
364 // searches on the basis of the issuer's subject name |
|
365 void ValidateFromRootsL(); |
|
366 |
|
367 void OnRetrieveNextL(); |
|
368 void OnRetrievingEntryL(); |
|
369 |
|
370 private: |
|
371 |
|
372 enum TDelegateAuthState |
|
373 { |
|
374 EOnChainValidation, |
|
375 ERetrieveNext, |
|
376 ERetrievingEntry, |
|
377 }; |
|
378 /** |
|
379 This is a required argument for CPKIXCertChainBase, even |
|
380 though no certificates are used from the store. |
|
381 */ |
|
382 MCertStore& iCertStore; |
|
383 /** |
|
384 Pointer to client's OSCP status. This object sets the |
|
385 status according to the result of the validation. If |
|
386 the validation cannot be carried out, the default value |
|
387 is OCSP::EResponseSignatureValidationFailure. |
|
388 */ |
|
389 OCSP::TStatus* iOCSPStatus; |
|
390 /** |
|
391 Pointer to client's request status. This is recorded |
|
392 on the call to Validate() and used to notify the client |
|
393 of completion later. |
|
394 */ |
|
395 TRequestStatus* iClientStatus; |
|
396 /** |
|
397 Array used to hold pointer to issuer cert. This contains |
|
398 the pointer to the CA. |
|
399 */ |
|
400 RPointerArray<CX509Certificate> iRespSignIntCert; |
|
401 /** |
|
402 This object is used to chain the response signer back |
|
403 to the CA. |
|
404 */ |
|
405 CPKIXCertChainBase* iRespSignCertChainBase; |
|
406 /** |
|
407 The cert chain stores the validation result in |
|
408 this object. |
|
409 |
|
410 @see iRespSignCertChain; |
|
411 */ |
|
412 CPKIXValidationResultBase* iPKIXResultBase; |
|
413 /** |
|
414 Response from OCSP server. Once it has been established |
|
415 that the certificate sent with the response is an authorised |
|
416 responder for the CA, the response is checked to ensure |
|
417 that it really is signed by that certificate. |
|
418 |
|
419 This is not const because, if DSA is used, then |
|
420 SetParametersL() will be called on the response before |
|
421 the signature is verified. |
|
422 */ |
|
423 COCSPResponse* iResponse; |
|
424 const COCSPRequest* iRequest; |
|
425 CCertAttributeFilter* iCertFilter; |
|
426 RMPointerArray<CCTCertInfo> iCertStoreEntries; |
|
427 TDelegateAuthState iState; |
|
428 HBufC8* iEncodedCert; |
|
429 const CX509Certificate* iResponseCert; |
|
430 TInt iCertCount; |
|
431 TTime iValidationTime; |
|
432 TBool iValidateFromResponse; |
|
433 |
|
434 }; |
|
435 |
|
436 class COCSPCaDirectAuthorisationScheme : public CBase, public MOCSPAuthorisationScheme |
|
437 /** |
|
438 Implement part of S2.2 of RFC 2560. |
|
439 |
|
440 "The key used to sign the response MUST belong to one of the following... |
|
441 |
|
442 -- the CA who issued the certificate in question" |
|
443 */ |
|
444 { |
|
445 public: |
|
446 IMPORT_C static COCSPCaDirectAuthorisationScheme* NewLC(); |
|
447 const CX509Certificate* ResponderCert() const; |
|
448 |
|
449 private: |
|
450 virtual void ValidateL( |
|
451 OCSP::TStatus& aOCSPStatus, COCSPResponse& aResponse, |
|
452 const TTime aValidationTime, TRequestStatus& aStatus, |
|
453 const COCSPRequest& aRequest); |
|
454 virtual void CancelValidate(); |
|
455 |
|
456 TBool DoValidateL( |
|
457 const COCSPRequest& aRequest, COCSPResponse& aResponse); |
|
458 TBool CertChainMatchesCertL( |
|
459 const TDesC8& aCertChainData, const CX509Certificate& aCert); |
|
460 }; |
|
461 |
|
462 // Authorisation scheme taking a cert store UID, and allowing those cert chains |
|
463 // with a root cert in the cert store valid for that UID |
|
464 |
|
465 /** |
|
466 Implement part of S2.2 of RFC 2560. |
|
467 |
|
468 "The key used to sign the response MUST belong to one of the following... |
|
469 |
|
470 -- a Trusted Responder whose public key is trusted by the requester" |
|
471 */ |
|
472 class COCSPDirectAuthorisationScheme : public CActive, public MOCSPAuthorisationScheme |
|
473 { |
|
474 public: |
|
475 IMPORT_C static COCSPDirectAuthorisationScheme* NewLC(const TUid& aCertStoreUid, MCertStore& aCertStore); |
|
476 |
|
477 ~COCSPDirectAuthorisationScheme(); |
|
478 |
|
479 // From MOCSPAuthorisationScheme |
|
480 void ValidateL(OCSP::TStatus& aOCSPStatus, COCSPResponse& aResponse, |
|
481 const TTime aValidationTime, TRequestStatus& aStatus, |
|
482 const COCSPRequest& aRequest); |
|
483 void CancelValidate(); |
|
484 |
|
485 const CX509Certificate* ResponderCert() const; |
|
486 |
|
487 protected: |
|
488 virtual void DoCancel(); |
|
489 virtual void RunL(); |
|
490 virtual TInt RunError(TInt aError); |
|
491 |
|
492 private: |
|
493 void ConstructL(); |
|
494 |
|
495 COCSPDirectAuthorisationScheme(const TUid& aCertStoreUid, MCertStore& aCertStore); |
|
496 |
|
497 TBool ValidateSignatureL(); |
|
498 void ValidateFromRoots(); |
|
499 void ValidateCertChainL(); |
|
500 void StartValidateL(); |
|
501 void OnValidateCertChainL(); |
|
502 void OnListCertEntries(); |
|
503 void OnRetrieveNextL(); |
|
504 void OnRetrievingEntryL(); |
|
505 |
|
506 private: |
|
507 TUid iCertStoreUid; |
|
508 |
|
509 COCSPResponse* iResponse; |
|
510 |
|
511 CPKIXCertChainBase* iCertChain; |
|
512 |
|
513 TRequestStatus* iClientStatus; |
|
514 CPKIXValidationResultBase* iPKIXResult; |
|
515 OCSP::TStatus* iOCSPStatus; |
|
516 |
|
517 enum TStatus |
|
518 { |
|
519 EValidateCertChain, // waiting for cert chain validation to complete |
|
520 EListCertEntries, // waiting listing to complete |
|
521 ERetrieveNext, // get next cert entry |
|
522 ERetrievingEntry, // waiting for entry retrieval to complete |
|
523 }; |
|
524 TStatus iState; |
|
525 |
|
526 MCertStore& iCertStore; |
|
527 |
|
528 CCertAttributeFilter* iCertFilter; |
|
529 RMPointerArray<CCTCertInfo> iCertStoreEntries; |
|
530 HBufC8* iEncodedCertBuf; |
|
531 TPtr8* iEncodedCertPtr; |
|
532 |
|
533 RFs iFs; |
|
534 TInt iCurEntry; // while async processing 509 certs, points to the current one |
|
535 |
|
536 TTime iValidationTime; |
|
537 const COCSPRequest* iRequest; |
|
538 const CX509Certificate* iResponseCert; |
|
539 }; |
|
540 |
|
541 |
|
542 /** |
|
543 * Interface through which the OCSP module sends requests to the outside world. |
|
544 * Normally, the appropriate concrete objects are made automatically, depending |
|
545 * on the URI, and so clients don't have to deal with this. However, clients |
|
546 * can override the automatically created object by specifying their own |
|
547 * transport object instead. |
|
548 */ |
|
549 |
|
550 class MOCSPTransport |
|
551 { |
|
552 public: |
|
553 |
|
554 virtual ~MOCSPTransport() {}; |
|
555 |
|
556 /** |
|
557 * Send request data to a URI. This is an asynchronous method. |
|
558 * @param aURI Target URI for sending the request |
|
559 * @param aRequest Request packet |
|
560 * @param aTimeout Request timeout in milliseconds (ignored if feature not supported) |
|
561 * @param aStatus The request status object. On request completion, indicates the status |
|
562 */ |
|
563 virtual void SendRequest(const TDesC8& aURI, |
|
564 const TDesC8& aRequest, |
|
565 const TInt aTimeout, |
|
566 TRequestStatus& aStatus) = 0; |
|
567 |
|
568 /** |
|
569 * Cancel the request. |
|
570 */ |
|
571 |
|
572 virtual void CancelRequest() = 0; |
|
573 |
|
574 // The following methods will only be called after the aStatus above is completed |
|
575 |
|
576 /** |
|
577 * Get the response data. Panic if completion gave an error. |
|
578 */ |
|
579 |
|
580 virtual TPtrC8 GetResponse() const = 0; |
|
581 }; |
|
582 |
|
583 |
|
584 /** |
|
585 * Specifies paremeters needed to perform revocation checking. The important |
|
586 * things to set are the certificates to be checked all - all the other |
|
587 * parameters have defaults. |
|
588 */ |
|
589 |
|
590 class COCSPParameters : public CBase |
|
591 { |
|
592 public: |
|
593 |
|
594 /** |
|
595 * Create a new parameters object. |
|
596 */ |
|
597 |
|
598 IMPORT_C static COCSPParameters* NewL(); |
|
599 IMPORT_C static COCSPParameters* NewLC(); |
|
600 |
|
601 /** |
|
602 * Add a certificate chain to be checked. Does not take ownership - |
|
603 * certificates must not be destroyed until the OCSP check complete. |
|
604 */ |
|
605 |
|
606 IMPORT_C void AddCertificatesL(const CX509CertChain& aChain); |
|
607 |
|
608 /** |
|
609 * Add a certificate to be checked. Does not take ownership - certificates |
|
610 * must not be destroyed until the OCSP check complete. |
|
611 */ |
|
612 |
|
613 IMPORT_C void AddCertificateL(const CX509Certificate& aSubject, const CX509Certificate& aIssuer); |
|
614 |
|
615 /** |
|
616 * Set whether or not to use a nonce. By default this is turned on. |
|
617 */ |
|
618 |
|
619 IMPORT_C void SetUseNonce(TBool aUseNonce); |
|
620 |
|
621 /** |
|
622 * Set the URI of the OCSP responder to use. The descriptor is copied. |
|
623 * |
|
624 * @param aURI The URI of the responder to use. |
|
625 * @param aUseAIA Indicates whether to use the responder specified in |
|
626 * certifcate AuthorityInfoAccess extensions in preference to the one given |
|
627 * here. |
|
628 */ |
|
629 |
|
630 IMPORT_C void SetURIL(const TDesC8& aURI, TBool aUseAIA); |
|
631 |
|
632 /** |
|
633 * Set the transport to use. This method must be called - if no transport |
|
634 * is set COCSPClient::NewL will leave with KErrArgument. This object takes |
|
635 * ownership. |
|
636 */ |
|
637 |
|
638 IMPORT_C void SetTransport(MOCSPTransport* aTransport); |
|
639 |
|
640 /** |
|
641 * Set the retry count for failed send request attempts. |
|
642 * A default value of 1 (no retry) is used. |
|
643 * |
|
644 * @param aRetryCount Retry count |
|
645 */ |
|
646 IMPORT_C void SetRetryCount(const TUint aRetryCount); |
|
647 |
|
648 /** |
|
649 * Set the request timeout. |
|
650 * A default value of -1 (default transport timeout) is used. |
|
651 * |
|
652 * @param aTimeout Request timeout in milliseconds |
|
653 */ |
|
654 IMPORT_C void SetTimeout(const TInt aTimeout); |
|
655 |
|
656 /** |
|
657 * Add an authorisation scheme - takes ownership if it doesn't leave. |
|
658 * Clients must specify at least one such scheme, used to validate the signature |
|
659 * on the response. |
|
660 */ |
|
661 |
|
662 IMPORT_C void AddAuthorisationSchemeL(MOCSPAuthorisationScheme* aScheme); |
|
663 |
|
664 IMPORT_C void AddAllAuthorisationSchemesL(const TUid& aCertStoreUid, MCertStore& aCertStore); |
|
665 |
|
666 /** |
|
667 * Specify the authorisation time (optional - uses producedAt time from response otherwise). |
|
668 */ |
|
669 |
|
670 IMPORT_C void SetValidationTimeL(const TTime& aValidationTime); |
|
671 |
|
672 /** |
|
673 * Specify the maximum age of the thisUpdate field in seconds (zero => don't check). |
|
674 */ |
|
675 |
|
676 IMPORT_C void SetMaxStatusAgeL(TUint aMaxAge); |
|
677 |
|
678 /** |
|
679 * Specify how much leeway we allow when comparing times. |
|
680 */ |
|
681 |
|
682 IMPORT_C void SetTimeLeewayL(TUint aLeewaySeconds); |
|
683 |
|
684 IMPORT_C void SetOCSPCheckForResponderCert(const TBool aResponderCertCheck); |
|
685 |
|
686 IMPORT_C void SetCheckCertsWithAiaOnly(const TBool aCheckCertsWithAiaOnly); |
|
687 |
|
688 IMPORT_C void SetUseAIA(const TBool aUseAIA); |
|
689 |
|
690 public: |
|
691 |
|
692 // Not exported |
|
693 |
|
694 ~COCSPParameters(); |
|
695 TUint CertCount() const; |
|
696 const CX509Certificate& SubjectCert(TUint aIndex) const; |
|
697 const CX509Certificate& IssuerCert(TUint aIndex) const; |
|
698 TBool UseNonce() const; |
|
699 const TDesC8& DefaultURI() const; |
|
700 TBool UseAIA() const; |
|
701 MOCSPTransport* Transport() const; |
|
702 TUint AuthSchemeCount() const; |
|
703 MOCSPAuthorisationScheme& AuthScheme(TUint aIndex) const; |
|
704 const TTime* ValidationTime() const; |
|
705 const TUint* MaxStatusAge() const; |
|
706 const TUint* TimeLeeway() const; |
|
707 TBool GenerateResponseForMissingUri() const; |
|
708 |
|
709 TUint RetryCount() const; |
|
710 TInt Timeout() const; |
|
711 TBool ReponderCertCheck() const; |
|
712 const CX509Certificate& CACert(TUint aIndex) const; |
|
713 TBool CheckCertsWithAiaOnly() const; |
|
714 |
|
715 private: |
|
716 void ConstructL(); |
|
717 COCSPParameters(); |
|
718 |
|
719 #ifdef _DEBUG |
|
720 /** Panic codes used by this functions in this class. */ |
|
721 enum TPanic |
|
722 { |
|
723 /** AddAllAuthorisationSchemesL() called when already added at least one. */ |
|
724 EAAASAlreadyHaveSchemes = 0x10 |
|
725 }; |
|
726 static void Panic(TPanic aPanic); |
|
727 #endif |
|
728 private: |
|
729 |
|
730 RPointerArray<CX509Certificate> iSubjectCerts; |
|
731 RPointerArray<CX509Certificate> iIssuerCerts; |
|
732 TBool iUseNonce; |
|
733 HBufC8* iDefaultURI; |
|
734 MOCSPTransport* iTransport; |
|
735 TBool iUseAIA; |
|
736 RPointerArray<MOCSPAuthorisationScheme> iAuthSchemes; |
|
737 TTime* iValidationTime; |
|
738 TUint* iMaxStatusAge; |
|
739 TUint* iTimeLeeway; |
|
740 TBool iGenerateResponseForMissingUri; |
|
741 |
|
742 TBool iResponderCertCheck; |
|
743 TUint iRetryCount; |
|
744 TInt iTimeout; |
|
745 TBool iCheckCertsWithAiaOnly; |
|
746 }; |
|
747 |
|
748 |
|
749 /** |
|
750 * Checks the revocation state of one or more certificates. |
|
751 * |
|
752 * The current implementation makes one OCSP request for every certificate |
|
753 * checked - future impelementations may check multiple certificates with a |
|
754 * single request. |
|
755 */ |
|
756 |
|
757 class COCSPClient : public CActive |
|
758 { |
|
759 public: |
|
760 |
|
761 /** |
|
762 * Create a new OCSP client. |
|
763 * |
|
764 * @param aParams An object describing the parameters for the check. This |
|
765 * method takes ownership if it does not leave. |
|
766 */ |
|
767 |
|
768 IMPORT_C static COCSPClient* NewL(const COCSPParameters* aParams); |
|
769 |
|
770 ~COCSPClient(); |
|
771 |
|
772 /** |
|
773 * Start the checker - this is an asynchronous method. |
|
774 */ |
|
775 |
|
776 IMPORT_C void Check(TRequestStatus& aStatus); |
|
777 |
|
778 /** |
|
779 * Cancel checking. |
|
780 */ |
|
781 |
|
782 IMPORT_C void CancelCheck(void); |
|
783 |
|
784 /** |
|
785 * Get the summary result of the check. If any certificates were revoked, |
|
786 * this returns ERevoked. If no certificates were revoked, but if there |
|
787 * were any errors communicating with ocsp servers or any certs had unknown |
|
788 * status, this returns EUnknown. Otherwise it returns EGood. |
|
789 * Panics if the check has not been run, or is not complete. |
|
790 */ |
|
791 |
|
792 IMPORT_C OCSP::TResult SummaryResult(void) const; |
|
793 |
|
794 /** |
|
795 * Get the number of transactions made. |
|
796 * Panics if the check has not been run, or is not complete. |
|
797 */ |
|
798 |
|
799 IMPORT_C TInt TransactionCount(void) const; |
|
800 |
|
801 /** |
|
802 * Get the request object for a specified transaction. |
|
803 * Panics if the check has not been run, is not complete, or the index is invalid. |
|
804 */ |
|
805 |
|
806 IMPORT_C const COCSPRequest& Request(TInt aIndex) const; |
|
807 |
|
808 /** |
|
809 * Get the outcome for an individual transaction. |
|
810 */ |
|
811 |
|
812 IMPORT_C const TOCSPOutcome& Outcome(TInt aIndex) const; |
|
813 |
|
814 /** |
|
815 * Get the response object for a specified transaction. If there was an |
|
816 * error sending the request, this may return NULL for the corresponding |
|
817 * response. |
|
818 * Panics if the check has not been run, is not complete, or the index is invalid. |
|
819 */ |
|
820 |
|
821 IMPORT_C const COCSPResponse* Response(TInt aIndex) const; |
|
822 |
|
823 IMPORT_C TBool CertsAvailableForOCSPCheck(); |
|
824 |
|
825 protected: |
|
826 virtual void RunL(); |
|
827 virtual TInt RunError(TInt aErr); |
|
828 virtual void DoCancel(); |
|
829 |
|
830 private: |
|
831 |
|
832 enum TState |
|
833 { |
|
834 EInitial, |
|
835 ESendingRequest, // Request is being sent to server |
|
836 EValidatingResponse, // Request is being validated |
|
837 EHaveResult, // Validation complete |
|
838 EError, // We got an error |
|
839 }; |
|
840 |
|
841 COCSPClient(); |
|
842 void ConstructL(const COCSPParameters* aParams); |
|
843 void Destroy(); |
|
844 void DoCheck(); |
|
845 void SendRequest(); |
|
846 void DoSendRequestL(); |
|
847 void ValidateResponseL(); |
|
848 void HandleResponseReceivedL(); |
|
849 void HandleResponseValidatedL(); |
|
850 void HandleTransactionErrorL(OCSP::TStatus aStatus); |
|
851 |
|
852 TState iState; |
|
853 TRequestStatus* iClientStatus; |
|
854 const COCSPParameters* iParams; |
|
855 const TDesC8* iURI; |
|
856 MOCSPTransport* iTransport; |
|
857 COCSPTransaction* iTransaction; |
|
858 RPointerArray<COCSPRequest> iRequests; |
|
859 RPointerArray<COCSPResponse> iResponses; |
|
860 COCSPValidator* iValidator; |
|
861 RArray<TOCSPOutcome> iOutcomes; |
|
862 OCSP::TResult iSummaryResult; |
|
863 |
|
864 }; |
|
865 |
|
866 |
|
867 #endif // OCSPREQUESTANDRESPONSE_H |