diff -r 000000000000 -r ba25891c3a9e installationservices/swi/source/securitymanager/certchainconstraints.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/installationservices/swi/source/securitymanager/certchainconstraints.cpp Thu Dec 17 08:51:10 2009 +0200 @@ -0,0 +1,302 @@ +/* +* Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). +* All rights reserved. +* This component and the accompanying materials are made available +* under the terms of the License "Eclipse Public License v1.0" +* which accompanies this distribution, and is available +* at the URL "http://www.eclipse.org/legal/epl-v10.html". +* +* Initial Contributors: +* Nokia Corporation - initial contribution. +* +* Contributors: +* +* Description: +* Developer mode certificate constraints implementation. +* +*/ + + +/** + @file + @released + @internalTechnology +*/ + +#include "certchainconstraints.h" +#include "x509constraintext.h" +#include +//#include "log.h" + +using namespace Swi; + +// +// CCertChainConstraints methods. +// + +EXPORT_C CCertChainConstraints* CCertChainConstraints::NewL(RPointerArray& aValidCerts) + { + CCertChainConstraints* self = CCertChainConstraints::NewLC(aValidCerts); + CleanupStack::Pop(self); + return self; + } + +EXPORT_C CCertChainConstraints* CCertChainConstraints::NewLC(RPointerArray& aValidCerts) + { + CCertChainConstraints* self = new(ELeave) CCertChainConstraints(); + CleanupStack::PushL(self); + self->ConstructL(aValidCerts); + return self; + } + +EXPORT_C CCertChainConstraints* CCertChainConstraints::NewL() + { + CCertChainConstraints* self = new(ELeave) CCertChainConstraints(); + return self; + } + +CCertChainConstraints::~CCertChainConstraints() + { + //Release the resources + iValidSIDs.Close(); + iValidVIDs.Close(); + iValidDeviceIDs.ResetAndDestroy(); + } + +EXPORT_C TBool CCertChainConstraints::SIDIsValid(TSecureId aRequestSID) const + { + TBool ret=ETrue; + if (iSIDsAreConstrained && (aRequestSID.iId & 0x80000000)==0 && KErrNotFound==iValidSIDs.Find(aRequestSID)) + { + ret=EFalse; + } + return ret; + } + +EXPORT_C TBool CCertChainConstraints::VIDIsValid(TVendorId aRequestVID) const + { + TBool ret=ETrue; + if (iVIDsAreConstrained && aRequestVID!=0 && KErrNotFound==iValidVIDs.Find(aRequestVID)) + { + ret=EFalse; + } + return ret; + } + +EXPORT_C TBool CCertChainConstraints::CapabilitiesAreValid(TCapabilitySet& aRequestCapabilities) const + { + return iValidCapabilities.HasCapabilities(aRequestCapabilities); + } + +EXPORT_C TBool CCertChainConstraints::DeviceIDIsValid(const HBufC* aRequestDeviceID) const + { + TBool ret=EFalse; + if (iDeviceIDsAreConstrained) + { + TInt deviceIDCount=iValidDeviceIDs.Count(); + //Check if request Device ID is in the valid device ID list + for(TInt i=0; iCompareF(*aRequestDeviceID)==0) + { + ret=ETrue; + break; + } + } + } + else + { + //No constaints on Device ID at all + ret=ETrue; + } + return ret; + } + +EXPORT_C TBool CCertChainConstraints::SIDsAreConstrained() const + { + return iSIDsAreConstrained; + } + +EXPORT_C TBool CCertChainConstraints::VIDsAreConstrained() const + { + return iVIDsAreConstrained; + } + +EXPORT_C TBool CCertChainConstraints::DeviceIDsAreConstrained() const + { + return iDeviceIDsAreConstrained; + } + +EXPORT_C TBool CCertChainConstraints::CapabilitiesAreConstrained() const + { + return iCapabilitiesAreConstrained; + } + +EXPORT_C const TCapabilitySet& CCertChainConstraints::ValidCapabilities() const + { + return iValidCapabilities; + } + +EXPORT_C void CCertChainConstraints::SetValidCapabilities(const TCapabilitySet& aValidCapabilities) + { + iValidCapabilities=aValidCapabilities; + } + +CCertChainConstraints::CCertChainConstraints() + { + //Pre-initialise the valid Capability to all capability supported + iValidCapabilities.SetAllSupported(); + } + +void CCertChainConstraints::ConstructL(RPointerArray& aValidCerts) + { + //Get the Cert Chain count + TInt certChainCount=aValidCerts.Count(); + + //Go through the certificate chains + for(TInt i=0; iCount(); + //Go through the certificate in one certificate chain + for (TInt j=0; jCert(j); + + //Retrieve the DeviceIDs and build the list + RetrieveExtensionDeviceIDListL(validCert); + + //Retrieve the Capabilities and build capability constraints + RetrieveExtensionCapabilitySetL(validCert); + + //Retrieve the SIDs and build the list + RetrieveExtensionSIDListL(validCert); + + //Retrieve the VIDs and build the list + RetrieveExtensionVIDListL(validCert); + } + } + } + +void CCertChainConstraints::RetrieveExtensionCapabilitySetL(const CX509Certificate& aCert) + { + const CX509CertExtension* certExt = aCert.Extension(KCapabilitiesConstraint); + if (certExt) + { + CX509CapabilitySetExt* capSetExt=CX509CapabilitySetExt::NewL(certExt->Data()); + iValidCapabilities.Intersection(capSetExt->CapabilitySet()); + delete capSetExt; + iCapabilitiesAreConstrained=ETrue; + } + } + +TBool CompareInstance(const HBufC& aFirst, const HBufC& aSecond) + { + return (aFirst.CompareF(aSecond) == 0); + } + +void CCertChainConstraints::RetrieveExtensionDeviceIDListL(const CX509Certificate& aCert) + { + if (!iDeviceIDsAreConstrained || (iDeviceIDsAreConstrained && iValidDeviceIDs.Count()>0)) + { + const CX509CertExtension* certExt = aCert.Extension(KDeviceIdListConstraint); + if (certExt) + { + CX509Utf8StringListExt* deviceIdExt=CX509Utf8StringListExt::NewLC(certExt->Data()); + const RPointerArray& buf=deviceIdExt->StringArray(); + // iValidDeviceIDs intersect the constrained Device ID set in the certificate + if (!iDeviceIDsAreConstrained) + { + TInt count=buf.Count(); + for (TInt i=0;iAllocLC(); + iValidDeviceIDs.AppendL(temp); + CleanupStack::Pop(temp); + } + iDeviceIDsAreConstrained=ETrue; + } + else + { + for (TInt k=iValidDeviceIDs.Count()-1;k>=0;k--) + { + if(KErrNotFound==buf.Find(iValidDeviceIDs[k],TIdentityRelation(CompareInstance))) + { + HBufC* temp=iValidDeviceIDs[k]; + iValidDeviceIDs.Remove(k); + delete temp; + } + } + } + CleanupStack::PopAndDestroy(deviceIdExt); + } + } + } + +void CCertChainConstraints::RetrieveExtensionSIDListL(const CX509Certificate& aCert) + { + if (!iSIDsAreConstrained || (iSIDsAreConstrained && iValidSIDs.Count()>0)) + { + const CX509CertExtension* certExt=aCert.Extension(KSidListConstraint); + if (certExt) + { + CX509IntListExt* intExt=CX509IntListExt::NewLC(certExt->Data()); + const RArray& sidList=intExt->IntArray(); + // iValidSIDs intersect the constrained sid set in the certificate + if (!iSIDsAreConstrained) + { + TInt count=sidList.Count(); + for (TInt i=0;i=0;k--) + { + if (sidList.Find(iValidSIDs[k].iId)==KErrNotFound) + { + iValidSIDs.Remove(k); + } + } + } + CleanupStack::PopAndDestroy(intExt); + } + } + } + +void CCertChainConstraints::RetrieveExtensionVIDListL(const CX509Certificate& aCert) + { + if (!iVIDsAreConstrained || (iVIDsAreConstrained && iValidVIDs.Count()>0)) + { + const CX509CertExtension* certExt=aCert.Extension(KVidListConstraint); + if (certExt) + { + CX509IntListExt* intExt=CX509IntListExt::NewLC(certExt->Data()); + const RArray& vidList=intExt->IntArray(); + // iValidVIDs intersect the constrained vid set in the certificate + if (!iVIDsAreConstrained) + { + TInt count=vidList.Count(); + for (TInt i=0;i=0;k--) + { + if (vidList.Find(iValidVIDs[k].iId)==KErrNotFound) + { + iValidVIDs.Remove(k); + } + } + } + CleanupStack::PopAndDestroy(intExt); + } + } + } +