1 // Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies).

     2 // All rights reserved.

     3 // This component and the accompanying materials are made available

     4 // under the terms of "Eclipse Public License v1.0"

     5 // which accompanies this distribution, and is available

     6 // at the URL "http://www.eclipse.org/legal/epl-v10.html".

     7 //

     8 // Initial Contributors:

     9 // Nokia Corporation - initial contribution.

    10 //

    11 // Contributors:

    12 //

    13 // Description:

    14 // request.h

    15 // Header for OCSP validator object.

    16 // 

    17 //

    18 

    19 /**

    20  @file 

    21  @internalComponent 

    22 */

    23 

    24 #ifndef __OCSP_VALIDATOR_H__

    25 #define __OCSP_VALIDATOR_H__

    26 

    27 #include <ocsp.h>

    28 #include "ocsprequestandresponse.h"

    29 /**

    30  * Validator.  Used to verify the legitimacy of an OCSP response, and the

    31  * certificates therein.  May specify time for certificate validation - if

    32  * omitted, the producedAt time in the response is used instead.

    33  */

    34 

    35 NONSHARABLE_CLASS(COCSPValidator) : public CActive

    36 	{

    37 public:

    38 	static COCSPValidator* NewL( const COCSPParameters& aParameters);

    39 	

    40 	~COCSPValidator();

    41 

    42 	/**

    43 	 * Specify Authorisation scheme(s) - doesn't take ownership

    44 	 */

    45 	

    46 	void AddAuthorisationSchemeL(MOCSPAuthorisationScheme& aScheme);

    47 

    48 	/**

    49 	 * Specify the authorisation time (NULL => use producedAt from response)

    50 	 * Default is to use producedAt.

    51 	 */

    52 	

    53 	void SetValidationTimeL(const TTime* aValidationTime);

    54 

    55 	/**

    56 	 * Specify the permissable maximum age of the thisUpdate field in

    57 	 * seconds. zero => don't check, default is 30 days. 

    58 	 */

    59 

    60 	void SetMaxStatusAge(TUint aMaxAge);

    61 

    62 	/**

    63 	 * Specify how much leeway we allow when comparing times - if we're using

    64 	 * the device clock, this allows for the fact that it may be out by a

    65 	 * certain amount.  Default is 5 seconds.

    66 	 */

    67 	

    68 	void SetTimeLeeway(TUint aLeewaySeconds);

    69 

    70 	/**

    71 	 * Validate a request/response pair, setting aOutcome to the result.

    72 	 * This is an asynchronous method.

    73 	 */

    74 	

    75 	void Validate(const COCSPRequest& aRequest, COCSPResponse& aResponse,

    76 				  TOCSPOutcome& aOutcome, TRequestStatus& aStatus);

    77 		

    78 protected:

    79 	virtual void DoCancel();

    80 	virtual void RunL();

    81 	virtual TInt RunError(TInt aError);

    82 

    83  private:

    84  	void ConstructL();

    85 	COCSPValidator( const COCSPParameters& aParameters);

    86 

    87 	void DoValidateL(const COCSPRequest& aRequest, COCSPResponse& aResponse,

    88 					 TOCSPOutcome& aOutcome, TRequestStatus& aStatus);

    89 

    90 	// Specific validation areas - return false if we should give up now.

    91 	TBool IsResponseWellFormed(); // Checks correct certs present in response.

    92 	TBool ValidateTimeL();

    93 	TBool ValidateNonce();

    94 

    95 	void ProcessSchemeValidationL();

    96 	void CheckSchemeValidationL();

    97 	void FinalResponseValidationL();

    98 	

    99 	TTime ValidationTime() const;

   100 

   101 	TBool TimeIsBeforeL(const TTime& aBefore, const TTime& aAfter);

   102 	

   103 	 void SendResponderCertL();

   104 	 void ValidateResponderCertL();

   105 	 

   106 	 OCSP::TResult CheckOCSPStatus(const COCSPResponse* aResponse) const;

   107 	 

   108 private:

   109 

   110 	// Array of integers, giving for each cert in the response the corresponding position in

   111 	// the request

   112 	RArray<TInt> iRequestIndex;

   113 	

   114 	const COCSPRequest* iRequest;

   115 	COCSPResponse* iResponse;

   116 

   117 	// User-supplied time for validation

   118 	TTime* iValidationTime;

   119 

   120 	// How old to allow thisUpdate to be

   121 	TUint iMaxStatusAge;

   122 

   123 	// Authorisation objects

   124 	RPointerArray<MOCSPAuthorisationScheme> iAuthorisationScheme;

   125 

   126 	TOCSPOutcome* iOutcome;

   127 	TRequestStatus* iValidationStatus;

   128 

   129 	enum TState

   130 		{

   131 		EValidating,

   132 		EWaitingResponse,

   133 		EValidateResponderCert,

   134 		};

   135 

   136 	TState iState;

   137 

   138 	// index of the last authorisation scheme we used

   139 	TInt iIndexScheme; 

   140 

   141 	TUint iLeewaySeconds;

   142 	

   143 	TBool iResponderCertCheck;

   144 	TBool iUseNonce;

   145 	// ownership lies with the relevant auth scheme

   146 	const CX509Certificate* iResponderCert;

   147 	const CX509Certificate* iIssuerCert;

   148 	COCSPRequest* iResponderCertRequest;

   149 	COCSPResponse* iResponderCertResponse;

   150 	COCSPTransaction* iTransaction;

   151 	// ownership lies with COCSPClient

   152 	const COCSPParameters* iParameters;

   153 	MOCSPAuthorisationScheme* iSchemeInUse;

   154 	};

   155 

   156 #endif