diff -r 33413c0669b9 -r c9c2ad51f972 vpnengine/pkiservice/src/pkimapper.cpp --- a/vpnengine/pkiservice/src/pkimapper.cpp Thu Dec 17 09:14:51 2009 +0200 +++ b/vpnengine/pkiservice/src/pkimapper.cpp Thu Jan 07 13:26:15 2010 +0200 @@ -17,347 +17,14 @@ * */ - -#include #include #include "PKIMapper.h" -#include "pkcs10.h" +#include "mapdescriptor.h" #include "log_r6.h" #include "pkiserviceassert.h" -CMapDescriptor::CMapDescriptor(TSecurityObjectDescriptor &aDesc) - { - this->iSubjectKeyId = aDesc.iSubjectKeyId; - this->iOwnerType = aDesc.iOwnerType; - this->iKeySize = aDesc.iKeySize; - this->iKeyAlgorithm = aDesc.iKeyAlgorithm; - this->iIsDeletable = aDesc.iIsDeletable; - } - -CMapDescriptor& CMapDescriptor::operator=(CMapDescriptor& aMapDesc) -{ - delete this->iTrustedAuthority; - this->iTrustedAuthority = NULL; - if(aMapDesc.iTrustedAuthority != NULL) - { - this->iTrustedAuthority = aMapDesc.iTrustedAuthority->Des().AllocL(); // Cert TrustedAuthority - } - delete this->iIdentitySubjectName; - this->iIdentitySubjectName = NULL; - if(aMapDesc.iIdentitySubjectName != NULL) - { - this->iIdentitySubjectName = aMapDesc.iIdentitySubjectName->Des().AllocL(); // Identity subject name - } - delete this->iIdentityRfc822Name; - this->iIdentityRfc822Name = NULL; - if(aMapDesc.iIdentityRfc822Name != NULL) - { - this->iIdentityRfc822Name = aMapDesc.iIdentityRfc822Name->Des().AllocL(); // Identity subjectAltName rfc822 name - } - delete this->iSerialNumber; - this->iSerialNumber = NULL; - if(aMapDesc.iSerialNumber != NULL) - { - this->iSerialNumber = aMapDesc.iSerialNumber->Des().AllocL(); // Serialnumber - } - - this->iSubjectKeyId = aMapDesc.iSubjectKeyId; // SHA1 hash of the corresponding private key - this->iOwnerType = aMapDesc.iOwnerType; // User, CA or peer. If user certificate, at least key usage must be set - this->iKeyUsageDer = aMapDesc.iKeyUsageDer; // Der format flags - this->iObjectName = aMapDesc.iObjectName; - this->iKeySize = aMapDesc.iKeySize; // Key size - this->iKeyAlgorithm = aMapDesc.iKeyAlgorithm; // RSA, DSA - this->iStartTime = aMapDesc.iStartTime; - this->iEndTime = aMapDesc.iEndTime; - this->iIsDeletable = aMapDesc.iIsDeletable; - TInt i; - for(i=0;iiApplUids.Append(aMapDesc.iApplUids[i]); - } - - this->iCertStoreType = aMapDesc.iCertStoreType; - return *this; -} - - -TBool CMapDescriptor::IsMatchingL(TSecurityObjectDescriptor &aDesc, - const TBool aInfoOnly, - TPkiServiceStoreType aCertStoreType) const - { - TBool match(EFalse); - - LOG(Log::Printf(_L("Matching"))); - LOG_1(" Pure informational: %d", aInfoOnly); - - LOG(Log::Printf(_L("Matching: certificate %S"), &iObjectName)); - for(;;) - { - if (aDesc.iOwnerType != EPKICACertificate && - aCertStoreType != EPkiStoreTypeAny) - { - if (iCertStoreType != aCertStoreType) - { - LOG(Log::Printf(_L(" Store doesn't match, aborting"))); - match = EFalse; - break; - } - } - else - { - LOG(Log::Printf(_L("Skipping store check, not relevant"))); - } - - - if (aDesc.iSubjectKeyIdUsed) - { - if(iSubjectKeyId == aDesc.iSubjectKeyId) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - } - - if(aDesc.iTrustedAuthorityUsed) - { - if(iTrustedAuthority == NULL) - { - match = EFalse; - break; - } - else - { - CX500DistinguishedName* dnSuffix1 = CX500DistinguishedName::NewLC(*iTrustedAuthority); - CX500DistinguishedName* dnSuffix2; - TInt popCount = 3; - - // ASN1 or plain text - if((aDesc.iTrustedAuthority[0] != 0x30) - || ((aDesc.iTrustedAuthority[1] != 0x81) - && (aDesc.iTrustedAuthority[1] != 0x82) - && ((aDesc.iTrustedAuthority[1] + 2) != aDesc.iTrustedAuthority.Length()))) - { - HBufC8* name2Der; - CPkcs10Req::BuildDistinguishedNameDerFromTextL(name2Der, - aDesc.iTrustedAuthority, - EFalse, KNullDesC8); - CleanupStack::PushL(name2Der); - - dnSuffix2 = CX500DistinguishedName::NewLC(*name2Der); - } - else - { - dnSuffix2 = CX500DistinguishedName::NewLC(aDesc.iTrustedAuthority); - popCount = 2; - } - - - if(PkiUtil::MatchL(*dnSuffix1, *dnSuffix2)) - { - match = ETrue; - CleanupStack::PopAndDestroy(popCount); - } - else - { - match = EFalse; - CleanupStack::PopAndDestroy(popCount); - break; - } - } - } - if(aDesc.iOwnerTypeUsed) - { - if(iOwnerType == aDesc.iOwnerType) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - } - if(aDesc.iSerialNumberUsed) - { - if ((iSerialNumber != NULL) && ((*iSerialNumber).Compare(aDesc.iSerialNumber) == 0)) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - } - - if(aDesc.iIdentitySubjectNameUsed) - { - if(iIdentitySubjectName == NULL) - { - match = EFalse; - break; - } - else - { - CX500DistinguishedName* dnSuffix1 = CX500DistinguishedName::NewLC(*iIdentitySubjectName); - CX500DistinguishedName* dnSuffix2; - TInt popCount = 3; - // ASN1 or plain text - if((aDesc.iIdentitySubjectName[0] != 0x30) - || ((aDesc.iIdentitySubjectName[1] != 0x81) - && (aDesc.iIdentitySubjectName[1] != 0x82) - && ((aDesc.iIdentitySubjectName[1] + 2) != aDesc.iIdentitySubjectName.Length()))) - { - HBufC8* name2Der; - CPkcs10Req::BuildDistinguishedNameDerFromTextL(name2Der, - aDesc.iIdentitySubjectName, - EFalse, KNullDesC8); - CleanupStack::PushL(name2Der); - - dnSuffix2 = CX500DistinguishedName::NewLC(*name2Der); - } - else - { - dnSuffix2 = CX500DistinguishedName::NewLC(aDesc.iIdentitySubjectName); - popCount = 2; - } - - if(PkiUtil::MatchL(*dnSuffix1, *dnSuffix2)) - { - CleanupStack::PopAndDestroy(popCount); - match = ETrue; - } - else - { - CleanupStack::PopAndDestroy(popCount); - match = EFalse; - break; - } - } - } - - if(aDesc.iIdentityRfc822NameUsed) - { - if(iIdentityRfc822Name == NULL) - { - match = EFalse; - break; - } - else - { - TInt bytes = aDesc.iIdentityRfc822Name.Length(); - TPtrC8 tail = (*iIdentityRfc822Name).Right(bytes); - if (tail.CompareF(aDesc.iIdentityRfc822Name) == 0) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - } - } - - if(aDesc.iKeyUsageUsed) - { - CX509KeyUsageExt* tempUsage = NULL; - if(iKeyUsageDer.Length() != 0) - { - tempUsage = CX509KeyUsageExt::NewL(iKeyUsageDer); - } - if((tempUsage == NULL) || tempUsage->IsSet(aDesc.iKeyUsage)) - { - delete tempUsage; - match = ETrue; - } - else - { - delete tempUsage; - match = EFalse; - break; - } - } - - if(aDesc.iKeySizeUsed) - { - if(iKeySize == aDesc.iKeySize) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - } - - if (match && !aInfoOnly) - { - TValidity val = CPKIMapper::CertValidity(iStartTime, iEndTime); - // Treat future certificates as valid - if((val == EValid) || (val == ENotValidYet)) - { - match = ETrue; - } - else - { - LOG_("Matching: Expired, and not an informational request"); - match = EFalse; - break; - } - } - - break; - } - - return match; - } - -TBool CMapDescriptor::IsEqual(CMapDescriptor &aDesc) - { - TBool match = EFalse; - - for(;;) - { - if((iTrustedAuthority != NULL) && (aDesc.iTrustedAuthority != NULL) && (iTrustedAuthority->Des().Compare(*aDesc.iTrustedAuthority) == 0)) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - - if((iSerialNumber != NULL) && (aDesc.iSerialNumber != NULL) && (iSerialNumber->Des().Compare(*aDesc.iSerialNumber) == 0)) - { - match = ETrue; - } - else - { - match = EFalse; - break; - } - - break; - } - - return match; - } - - -void CMapDescriptor::SetCertStoreType(TPkiServiceStoreType aCertStoreType) - { - iCertStoreType = aCertStoreType; - } - CPKIMapper* CPKIMapper::NewL() { CPKIMapper* self = new (ELeave) CPKIMapper(); @@ -397,19 +64,26 @@ return iCacheCreated; } -TInt CPKIMapper::AddMapping(CMapDescriptor& aMap) +TInt CPKIMapper::AddMapping(CMapDescriptor* aMap) { // Insert as first element, so that newest object will be found first - return iMapping->Insert(&aMap, 0); + TInt err = iMapping->Insert(aMap, 0); + if (err != KErrNone) + { + delete aMap; + } + return err; } void CPKIMapper::LogMap(CMapDescriptor &aDescriptor) const { - TInt len = aDescriptor.iSubjectKeyId.Length(); + TPtrC objectName = aDescriptor.Label(); + const TPKIKeyIdentifier& subjectKeyId = aDescriptor.CertificateKeyId(); + LOG(Log::Printf(_L("====CertificateObject====\n"))); - LOG(Log::Printf(_L("ObjectName: %S\n"), &(aDescriptor.iObjectName))); + LOG(Log::Printf(_L("ObjectName: %S\n"), &objectName)); LOG(Log::Printf(_L("KeyId:"))); - LOG(Log::HexDump(NULL, NULL, aDescriptor.iSubjectKeyId.Ptr(), len)); + LOG(Log::HexDump(NULL, NULL, subjectKeyId.Ptr(), subjectKeyId.Length())); } @@ -423,23 +97,7 @@ iMapping->Compress(); } -TInt CPKIMapper::DeleteMapping(CMapDescriptor &aDesc) - { - TInt status(KErrNotFound); - - for(TInt i(0); i < iMapping->Count(); i++) - { - if((*iMapping)[i]->IsEqual(aDesc)) - { - DeleteMapping(i); - status = KErrNone; - break; - } - } - return status; - } - -TInt CPKIMapper::CertCount() +TInt CPKIMapper::CertCount(TBool aInfoOnly) { TInt count(0); @@ -447,7 +105,7 @@ { CMapDescriptor* mapping = (*iMapping)[i]; count++; - if (CertValidity(mapping->iStartTime, mapping->iEndTime) == EExpired) + if (!aInfoOnly && mapping->CertValidity() == CMapDescriptor::EExpired) { // do not count expider certificates count--; @@ -459,65 +117,70 @@ TInt CPKIMapper::ApplicableCertCount(const RArray& aUidArray) { - TInt count(0); - TBool uidMatch(EFalse); + iCount = 0; - for(TInt i(0); i < iMapping->Count(); i++) + for(TInt i = 0; i < iMapping->Count(); i++) { - CMapDescriptor* mapping = (*iMapping)[i]; - if(mapping->iOwnerType == EPKICACertificate) + const CMapDescriptor* mapping = (*iMapping)[i]; + if(mapping->OwnerType() == EPKICACertificate) { - if(CertValidity(mapping->iStartTime, mapping->iEndTime) != EExpired) + if(mapping->CertValidity() != CMapDescriptor::EExpired) { - uidMatch = EFalse; - for(TInt j = 0; j < mapping->iApplUids.Count(); j++) + for (TInt j = 0; j < aUidArray.Count(); ++j) { - for(TInt k = 0; k < aUidArray.Count(); k++) + if (mapping->IsApplicable(aUidArray[j])) { - if(mapping->iApplUids[j].iUid == aUidArray[k].iUid) - { - uidMatch = ETrue; - break; - } - } - if(uidMatch) - { - count++; + iCount++; break; } } } } } - iCount = count; - return count; + + return iCount; } +TInt CPKIMapper::GetCertDetailsL(TSecurityObjectDescriptor& aSecDesc, + TPkiServiceStoreType aStoreType, + TBool aInfoOnly, + TCertificateListEntry& aResultCertInfo) + { + TInt index; + TInt err; + + TRAPD(leave, err = ResolveCertMappingL(aSecDesc, iObjectName, + index, aInfoOnly, + aStoreType)); + if (leave != KErrNone) + { + return leave; + } + + if (err == KErrNone) + { + const CMapDescriptor* mapping = (*iMapping)[index]; + aResultCertInfo.iObjectName = mapping->Label(); + aResultCertInfo.iOwnerType = mapping->OwnerType(); + aResultCertInfo.iTrustedAuthority = mapping->TrustedAuthority(); + aResultCertInfo.iIdentitySubjectName = mapping->IdentitySubjectName(); + aResultCertInfo.iSerialNumber = mapping->SerialNumber(); + aResultCertInfo.iSubjectKeyId = mapping->CertificateKeyId(); + aResultCertInfo.iKeySize = mapping->KeySize(); + aResultCertInfo.iKeyAlgorithm = mapping->KeyAlgorithm(); + aResultCertInfo.iIsDeletable = mapping->Deletable(); + } + return err; + } -TInt CPKIMapper::GetCertListL(const RMessage2 &aMessage, TPkiServiceStoreType aStoreType, - TBool aDescUsed) + +TInt CPKIMapper::GetCertListL(const RMessage2 &aMessage, TBool aInfoOnly) { TInt pos = 0; TInt iLast = 0; TInt iFirst = 0; - - if(aDescUsed) - { - aMessage.ReadL(1, iCurrentDescriptor); - TSecurityObjectDescriptor& secDesc = iCurrentDescriptor(); - TInt status = ResolveCertMappingL( - iCurrentDescriptor(), iObjectName, iFirst, EFalse, aStoreType); - if(status == KErrNone) - { - iCount = 1; - iLast = iFirst + 1; - } - } - else - { - iLast = iMapping->Count(); - } + iLast = iMapping->Count(); CBufFlat* list = CBufFlat::NewL(sizeof(TCertificateListEntry)); CleanupStack::PushL(list); list->ResizeL(iCount * sizeof(TCertificateListEntry)); @@ -526,26 +189,17 @@ for(TInt i = iFirst; i < iLast; i++) { CMapDescriptor* mapping = (*iMapping)[i]; - if(CertValidity(mapping->iStartTime, mapping->iEndTime) != EExpired) + if(aInfoOnly || mapping->CertValidity() != CMapDescriptor::EExpired) { - certInfo.iObjectName = mapping->iObjectName; - certInfo.iOwnerType = mapping->iOwnerType; - if(mapping->iTrustedAuthority != NULL) - { - certInfo.iTrustedAuthority = *(mapping->iTrustedAuthority); - } - if(mapping->iIdentitySubjectName != NULL) - { - certInfo.iIdentitySubjectName = *(mapping->iIdentitySubjectName); - } - if(mapping->iSerialNumber != NULL) - { - certInfo.iSerialNumber = *(mapping->iSerialNumber); - } - certInfo.iSubjectKeyId = mapping->iSubjectKeyId; - certInfo.iKeySize = mapping->iKeySize; // Key size - certInfo.iKeyAlgorithm = mapping->iKeyAlgorithm; // RSA, DSA - certInfo.iIsDeletable = mapping->iIsDeletable; // IsDeletable + certInfo.iObjectName = mapping->Label(); + certInfo.iOwnerType = mapping->OwnerType(); + certInfo.iTrustedAuthority = mapping->TrustedAuthority(); + certInfo.iIdentitySubjectName = mapping->IdentitySubjectName(); + certInfo.iSerialNumber = mapping->SerialNumber(); + certInfo.iSubjectKeyId = mapping->CertificateKeyId(); + certInfo.iKeySize = mapping->KeySize(); // Key size + certInfo.iKeyAlgorithm = mapping->KeyAlgorithm(); // RSA, DSA + certInfo.iIsDeletable = mapping->Deletable(); // IsDeletable list->Write(pos * sizeof(TCertificateListEntry), (TAny*)&certInfo, @@ -567,8 +221,7 @@ void CPKIMapper::GetApplicableCertListL(const RMessage2& aMessage, const RArray& aUidArray) { - TBool uidMatch = EFalse; - TInt pos(0); + TInt pos = 0; CBufFlat* list = CBufFlat::NewL(sizeof(TCertificateListEntry)); CleanupStack::PushL(list); @@ -578,41 +231,23 @@ for(TInt i = 0; (i < iMapping->Count()) && (pos < iCount); i++) { CMapDescriptor* mapping = (*iMapping)[i]; - if(mapping->iOwnerType == EPKICACertificate) + if(mapping->OwnerType() == EPKICACertificate) { - if(CertValidity(mapping->iStartTime, mapping->iEndTime) != EExpired) + if(mapping->CertValidity() != CMapDescriptor::EExpired) { - uidMatch = EFalse; - for(TInt j = 0; j < mapping->iApplUids.Count(); j++) + for(TInt j = 0; j < aUidArray.Count(); j++) { - for(TInt k = 0; k < aUidArray.Count(); k++) - { - if(mapping->iApplUids[j].iUid == aUidArray[k].iUid) - { - uidMatch = ETrue; - break; - } - } - if(uidMatch) + if(mapping->IsApplicable(aUidArray[j])) { - certInfo.iObjectName = mapping->iObjectName; - certInfo.iOwnerType = mapping->iOwnerType; - if(mapping->iTrustedAuthority != NULL) - { - certInfo.iTrustedAuthority = *(mapping->iTrustedAuthority); - } - if(mapping->iIdentitySubjectName != NULL) - { - certInfo.iIdentitySubjectName = *(mapping->iIdentitySubjectName); - } - if(mapping->iSerialNumber != NULL) - { - certInfo.iSerialNumber = *(mapping->iSerialNumber); - } - certInfo.iSubjectKeyId = mapping->iSubjectKeyId; - certInfo.iKeySize = mapping->iKeySize; // Key size - certInfo.iKeyAlgorithm = mapping->iKeyAlgorithm; // RSA, DSA - certInfo.iIsDeletable = mapping->iIsDeletable; // IsDeletable + certInfo.iObjectName = mapping->Label(); + certInfo.iOwnerType = mapping->OwnerType(); + certInfo.iTrustedAuthority = mapping->TrustedAuthority(); + certInfo.iIdentitySubjectName = mapping->IdentitySubjectName(); + certInfo.iSerialNumber = mapping->SerialNumber(); + certInfo.iSubjectKeyId = mapping->CertificateKeyId(); + certInfo.iKeySize = mapping->KeySize(); // Key size + certInfo.iKeyAlgorithm = mapping->KeyAlgorithm(); // RSA, DSA + certInfo.iIsDeletable = mapping->Deletable(); // IsDeletable list->Write(pos * sizeof(TCertificateListEntry), (TAny*)&certInfo, @@ -658,7 +293,7 @@ if(status == KErrNone) { - aKeyId.Copy((*iMapping)[index]->iSubjectKeyId); + aKeyId.Copy((*iMapping)[index]->CertificateKeyId()); } else { @@ -676,7 +311,7 @@ { for (TInt i(0); i < iMapping->Count(); i++) { - if ((*iMapping)[i]->iObjectName.Compare(aLabel) == 0) + if ((*iMapping)[i]->Label().Compare(aLabel) == 0) { return EFalse; } @@ -710,21 +345,21 @@ CMapDescriptor* mapitem = (*iMapping)[i]; // Use subject name for uniqueness criterion - if (mapitem->iIdentitySubjectName) + if (mapitem->IdentitySubjectName().Length() > 0) { - if (subjectname->Compare(*(mapitem->iIdentitySubjectName)) == 0) + if (subjectname->Compare(mapitem->IdentitySubjectName()) == 0) { LOG(Log::Printf(_L("Found an existing cert that matches subject"))); - if (issuername->Compare(*(mapitem->iTrustedAuthority)) == 0) + if (issuername->Compare(mapitem->TrustedAuthority()) == 0) { ret = EFalse; break; } } } - else if (mapitem->iTrustedAuthority && (subjectname->Compare(*issuername) == 0)) + else if (subjectname->Compare(*issuername) == 0) { - if (subjectname->Compare(*(mapitem->iTrustedAuthority)) == 0) + if (subjectname->Compare(mapitem->TrustedAuthority()) == 0) { LOG(Log::Printf(_L("Found an existing cert that matches subject (CA)"))); ret = EFalse; @@ -814,11 +449,11 @@ TBuf<12> buf; buf.Append(KMidp2Label); // Discard all MIDP2 certificates to avoid label-mapping problem - if (buf.Compare(mapping->iObjectName) != 0) + if (buf.Compare(mapping->Label()) != 0) { - if(mapping->iEndTime > furthestEndTime) + if(mapping->EndTime() > furthestEndTime) { - furthestEndTime = mapping->iEndTime; + furthestEndTime = mapping->EndTime(); foundIndex = i; LOG(Log::Printf(_L("Resolve cert mapping: Tentatively found a suitable one"))); // Continue to search the longest lasting certificate @@ -842,7 +477,7 @@ status = KErrNone; if(status == KErrNone) { - aFilename.Append((*iMapping)[foundIndex]->iObjectName); + aFilename.Append((*iMapping)[foundIndex]->Label()); status = KErrNone; aIndex = foundIndex; } @@ -855,25 +490,6 @@ } -TValidity CPKIMapper::CertValidity(const TTime &aStartTime, const TTime &aEndTime) - { - TTimeIntervalSeconds tolerance(120); - TTime currentTime; - currentTime.UniversalTime(); - - if (aEndTime <= currentTime) - { - return EExpired; - } - - if (aStartTime >= currentTime + tolerance) - { - return ENotValidYet; - } - - return EValid; - } - void CPKIMapper::LogSearchArguments(TSecurityObjectDescriptor &aDescriptor) const { TBuf<256> temp; @@ -944,41 +560,3 @@ } } -TBool PkiUtil::MatchL(const CX500DistinguishedName& aDn1, const CX500DistinguishedName& aDn2) -{ - if((aDn1.Count() == 0) || (aDn2.Count() == 0)) - { - return EFalse; - } - - if (aDn1.Count() < aDn2.Count()) - { - return EFalse; - } - else - { - // For each field in aDn2, aDn1 must contain a field with the same value - for (TInt i = 0; i < aDn2.Count(); i++) - { - if (!HasElementL(aDn1, aDn2.Element(i))) - { - return EFalse; - } - } - } - - return ETrue; -} - -TBool PkiUtil::HasElementL(const CX500DistinguishedName& aDn, const CX520AttributeTypeAndValue& aElement) -{ - for (TInt i = 0; i < aDn.Count(); i++) - { - if (aElement.ExactMatchL(aDn.Element(i))) - { - return ETrue; - } - } - return EFalse; -} -