|
1 // Copyright (c) 2002-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
2 // All rights reserved. |
|
3 // This component and the accompanying materials are made available |
|
4 // under the terms of "Eclipse Public License v1.0" |
|
5 // which accompanies this distribution, and is available |
|
6 // at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
7 // |
|
8 // Initial Contributors: |
|
9 // Nokia Corporation - initial contribution. |
|
10 // |
|
11 // Contributors: |
|
12 // |
|
13 // Description: |
|
14 // |
|
15 |
|
16 #include "transaction.h" |
|
17 #include "validator.h" |
|
18 #include "panic.h" |
|
19 #include <ocsp.h> |
|
20 #include <x509certext.h> |
|
21 #include <x509certchain.h> |
|
22 #include <x509cert.h> |
|
23 #include <asn1dec.h> |
|
24 |
|
25 EXPORT_C COCSPClient* COCSPClient::NewL(const COCSPParameters* aParams) |
|
26 { |
|
27 COCSPClient* self = new (ELeave) COCSPClient(); |
|
28 CleanupStack::PushL(self); |
|
29 self->ConstructL(aParams); |
|
30 CleanupStack::Pop(self); |
|
31 return self; |
|
32 } |
|
33 |
|
34 COCSPClient::COCSPClient() : |
|
35 CActive(EPriorityNormal) |
|
36 { |
|
37 CActiveScheduler::Add(this); |
|
38 } |
|
39 |
|
40 void COCSPClient::ConstructL(const COCSPParameters* aParams) |
|
41 { |
|
42 __ASSERT_ALWAYS(aParams, Panic(KErrArgument)); |
|
43 |
|
44 // Caller must supply transport |
|
45 if (!aParams->Transport()) |
|
46 { |
|
47 User::Leave(KErrArgument); |
|
48 } |
|
49 |
|
50 // Range check request timeout and retry values to avoid later panics |
|
51 if (aParams->Timeout() < KTransportDefaultRequestTimeout) |
|
52 { |
|
53 User::Leave(KErrArgument); |
|
54 } |
|
55 if (aParams->RetryCount() < KTransportDefaultRequestRetryCount) |
|
56 { |
|
57 User::Leave(KErrArgument); |
|
58 } |
|
59 |
|
60 iParams = aParams; // Take ownership |
|
61 |
|
62 // Make a request for every certificate |
|
63 for (TUint i = 0 ; i < aParams->CertCount() ; ++i) |
|
64 { |
|
65 // Following are the condition in which the request would not be |
|
66 // added for ocsp check: |
|
67 // If CheckCertsWithAiaOnly is enabled and certificate does |
|
68 // not contain AIA extension. |
|
69 // Or |
|
70 // CheckCertsWithAiaOnly is disabled and |
|
71 // GenerateResponseFromMissingURI is disabled and |
|
72 // AIA is absent and |
|
73 // Global OCSP URL is absent |
|
74 |
|
75 if (! ( ( aParams->CheckCertsWithAiaOnly() && |
|
76 !OCSPUtils::IsAIAForOCSPPresentL( aParams->SubjectCert(i) ) |
|
77 ) || |
|
78 ( !aParams->CheckCertsWithAiaOnly() |
|
79 && !aParams->GenerateResponseForMissingUri() |
|
80 && !OCSPUtils::IsAIAForOCSPPresentL(aParams->SubjectCert(i)) |
|
81 && aParams->DefaultURI() == KNullDesC8() |
|
82 ) |
|
83 ) |
|
84 ) |
|
85 { |
|
86 COCSPRequest* request = COCSPRequest::NewLC(aParams->UseNonce()); |
|
87 request->AddCertificateL(aParams->SubjectCert(i), aParams->IssuerCert(i)); |
|
88 User::LeaveIfError(iRequests.Append(request)); |
|
89 CleanupStack::Pop(request); |
|
90 } |
|
91 |
|
92 } |
|
93 iValidator = COCSPValidator::NewL(*aParams); |
|
94 } |
|
95 |
|
96 |
|
97 COCSPClient::~COCSPClient() |
|
98 { |
|
99 Cancel(); |
|
100 delete iParams; |
|
101 delete iURI; |
|
102 delete iTransport; |
|
103 delete iTransaction; |
|
104 delete iValidator; |
|
105 iRequests.ResetAndDestroy(); |
|
106 iResponses.ResetAndDestroy(); |
|
107 iOutcomes.Close(); |
|
108 } |
|
109 |
|
110 EXPORT_C OCSP::TResult COCSPClient::SummaryResult(void) const |
|
111 { |
|
112 __ASSERT_ALWAYS(iState == EHaveResult, Panic(KErrNotReady)); |
|
113 return iSummaryResult; |
|
114 } |
|
115 |
|
116 EXPORT_C TInt COCSPClient::TransactionCount(void) const |
|
117 { |
|
118 __ASSERT_ALWAYS(iState == EHaveResult, Panic(KErrNotReady)); |
|
119 return iResponses.Count(); |
|
120 } |
|
121 |
|
122 EXPORT_C const COCSPRequest& COCSPClient::Request(TInt aIndex) const |
|
123 { |
|
124 __ASSERT_ALWAYS(iState == EHaveResult, Panic(KErrNotReady)); |
|
125 __ASSERT_ALWAYS(aIndex >= 0 && aIndex < iRequests.Count(), Panic(KErrNotFound)); |
|
126 return *(iRequests[aIndex]); |
|
127 } |
|
128 |
|
129 EXPORT_C const TOCSPOutcome& COCSPClient::Outcome(TInt aIndex) const |
|
130 { |
|
131 __ASSERT_ALWAYS(iState == EHaveResult, Panic(KErrNotReady)); |
|
132 __ASSERT_ALWAYS(aIndex >= 0 && aIndex < iOutcomes.Count(), Panic(KErrNotFound)); |
|
133 return iOutcomes[aIndex]; |
|
134 } |
|
135 |
|
136 EXPORT_C const COCSPResponse* COCSPClient::Response(TInt aIndex) const |
|
137 { |
|
138 __ASSERT_ALWAYS(iState == EHaveResult, Panic(KErrNotReady)); |
|
139 __ASSERT_ALWAYS(aIndex >= 0 && aIndex < iResponses.Count(), Panic(KErrNotFound)); |
|
140 return iResponses[aIndex]; |
|
141 } |
|
142 |
|
143 EXPORT_C void COCSPClient::Check(TRequestStatus& aStatus) |
|
144 { |
|
145 __ASSERT_ALWAYS(iState == EInitial, Panic(KErrInUse)); |
|
146 |
|
147 iClientStatus = &aStatus; |
|
148 TInt err = KErrNone; |
|
149 |
|
150 if (iRequests.Count() == 0) |
|
151 { |
|
152 err = OCSP::KErrNoCertificates; |
|
153 } |
|
154 |
|
155 if (err == KErrNone) |
|
156 { |
|
157 aStatus = KRequestPending; |
|
158 DoCheck(); |
|
159 } |
|
160 |
|
161 if (err != KErrNone) |
|
162 { |
|
163 User::RequestComplete(iClientStatus, err); |
|
164 iState = EError; |
|
165 } |
|
166 } |
|
167 |
|
168 EXPORT_C void COCSPClient::CancelCheck() |
|
169 { |
|
170 Cancel(); |
|
171 } |
|
172 |
|
173 EXPORT_C TBool COCSPClient::CertsAvailableForOCSPCheck() |
|
174 { |
|
175 return iRequests.Count(); |
|
176 } |
|
177 |
|
178 TInt COCSPClient::RunError(TInt aError) |
|
179 { |
|
180 User::RequestComplete(iClientStatus, aError); |
|
181 iState = EError; |
|
182 return KErrNone; |
|
183 } |
|
184 |
|
185 void COCSPClient::DoCancel() |
|
186 { |
|
187 if (iTransaction) |
|
188 { |
|
189 iTransaction->CancelRequest(); |
|
190 } |
|
191 |
|
192 iValidator->Cancel(); |
|
193 if (iClientStatus) |
|
194 { |
|
195 User::RequestComplete(iClientStatus, KErrCancel); |
|
196 } |
|
197 } |
|
198 |
|
199 void COCSPClient::DoCheck() |
|
200 { |
|
201 iSummaryResult = OCSP::EGood; |
|
202 SendRequest(); |
|
203 } |
|
204 |
|
205 void COCSPClient::RunL() |
|
206 { |
|
207 switch (iState) |
|
208 { |
|
209 case ESendingRequest: |
|
210 HandleResponseReceivedL(); |
|
211 break; |
|
212 |
|
213 case EValidatingResponse: |
|
214 User::LeaveIfError(iStatus.Int()); |
|
215 HandleResponseValidatedL(); |
|
216 break; |
|
217 |
|
218 default: |
|
219 Panic(KErrCorrupt); |
|
220 break; |
|
221 } |
|
222 } |
|
223 |
|
224 /** |
|
225 * Receive the response, if the response was received correctly, |
|
226 * perform validation based on the scheme in use. |
|
227 */ |
|
228 void COCSPClient::HandleResponseReceivedL() |
|
229 { |
|
230 TInt status = iStatus.Int(); |
|
231 |
|
232 if (status == KErrNone) |
|
233 { |
|
234 COCSPResponse* response = iTransaction->TakeResponse(); |
|
235 CleanupStack::PushL(response); |
|
236 User::LeaveIfError(iResponses.Append(response)); |
|
237 CleanupStack::Pop(response); |
|
238 ValidateResponseL(); |
|
239 } |
|
240 else if (status > 0) |
|
241 { |
|
242 HandleTransactionErrorL(static_cast<OCSP::TStatus>(status)); |
|
243 } |
|
244 else if ((status == OCSP::KErrTransportFailure) || (status == OCSP::KErrServerNotFound)) |
|
245 { |
|
246 HandleTransactionErrorL(OCSP::ETransportError); |
|
247 } |
|
248 else if (status == OCSP::KErrInvalidURI) |
|
249 { |
|
250 HandleTransactionErrorL(OCSP::EInvalidURI); |
|
251 } |
|
252 else if (status == OCSP::KErrTransportTimeout) |
|
253 { |
|
254 HandleTransactionErrorL(OCSP::ETimeOut); |
|
255 } |
|
256 else |
|
257 { |
|
258 User::Leave(status); |
|
259 } |
|
260 } |
|
261 |
|
262 /** |
|
263 * Called when there's an error getting a response, and it's one of our non-fatal errors. |
|
264 * We record the error and continue checking. |
|
265 */ |
|
266 |
|
267 void COCSPClient::HandleTransactionErrorL(OCSP::TStatus aStatus) |
|
268 { |
|
269 User::LeaveIfError(iOutcomes.Append(TOCSPOutcome(aStatus, OCSP::EUnknown))); |
|
270 User::LeaveIfError(iResponses.Append(NULL)); |
|
271 HandleResponseValidatedL(); |
|
272 } |
|
273 |
|
274 /** |
|
275 * Following is the sequence followed in this method: |
|
276 * 1. Check the result for validation of the current response and update the Summary result accordingly. |
|
277 * 2. If delegate certificate has to be checked further initiate the same. |
|
278 * 3. if all request have not been processed then start validation for the next request. |
|
279 * 4. If all request have been processed complete the original client request. |
|
280 */ |
|
281 void COCSPClient::HandleResponseValidatedL() |
|
282 { |
|
283 TInt index = iOutcomes.Count() - 1; |
|
284 const TOCSPOutcome& outcome = iOutcomes[index]; |
|
285 |
|
286 if (outcome.iResult > iSummaryResult) |
|
287 { |
|
288 iSummaryResult = outcome.iResult; |
|
289 } |
|
290 |
|
291 if (iResponses.Count() < iRequests.Count()) |
|
292 { |
|
293 SendRequest(); |
|
294 } |
|
295 else |
|
296 { |
|
297 iState = EHaveResult; |
|
298 User::RequestComplete(iClientStatus, KErrNone); |
|
299 } |
|
300 } |
|
301 |
|
302 void COCSPClient::SendRequest() |
|
303 { |
|
304 TRAPD(error, DoSendRequestL()); |
|
305 |
|
306 // Handle errors in RunL |
|
307 if (error != KErrNone) |
|
308 { |
|
309 TRequestStatus* status = &iStatus; |
|
310 User::RequestComplete(status, error); |
|
311 } |
|
312 |
|
313 iState = ESendingRequest; |
|
314 SetActive(); |
|
315 } |
|
316 |
|
317 void COCSPClient::DoSendRequestL() |
|
318 { |
|
319 // Determine the next request to send by the number of responses received |
|
320 TInt index = iResponses.Count(); |
|
321 COCSPRequest& request = *(iRequests[index]); |
|
322 |
|
323 TDesC8* uri = NULL; |
|
324 TRAPD(error, uri = OCSPUtils::ServerUriL(request.CertInfo(0).Subject(),iParams)); |
|
325 |
|
326 if(error == KErrArgument) |
|
327 { |
|
328 TRequestStatus* status = &iStatus; |
|
329 User::RequestComplete(status, OCSP::ENoServerSpecified); |
|
330 return; |
|
331 } |
|
332 |
|
333 User::LeaveIfError(error); |
|
334 CleanupStack::PushL(uri); |
|
335 |
|
336 // if state is valid it means that uri has been retrieved. |
|
337 __ASSERT_ALWAYS(uri != NULL, Panic(OCSP::EInvalidURI)); |
|
338 MOCSPTransport& transport = *iParams->Transport(); |
|
339 |
|
340 delete iTransaction; |
|
341 iTransaction = NULL; |
|
342 iTransaction = COCSPTransaction::NewL(*uri, transport, iParams->RetryCount(), iParams->Timeout()); |
|
343 iTransaction->SendRequest(request, iStatus); |
|
344 CleanupStack::PopAndDestroy(uri); |
|
345 } |
|
346 |
|
347 /** |
|
348 * Each response received has to undergo validation based on RFC 2560 guidelines. |
|
349 */ |
|
350 void COCSPClient::ValidateResponseL() |
|
351 { |
|
352 TInt index = iResponses.Count() - 1; |
|
353 |
|
354 User::LeaveIfError(iOutcomes.Append(TOCSPOutcome())); |
|
355 __ASSERT_ALWAYS(iOutcomes.Count() == iResponses.Count(), Panic(KErrCorrupt)); |
|
356 |
|
357 iState = EValidatingResponse; |
|
358 iValidator->Validate(*(iRequests[index]), *(iResponses[index]), iOutcomes[index], iStatus); |
|
359 SetActive(); |
|
360 } |