diff -r 675a964f4eb5 -r 35751d3474b7 cryptomgmtlibs/cryptotokenfw/inc/securitydefs.h --- a/cryptomgmtlibs/cryptotokenfw/inc/securitydefs.h Tue Jul 21 01:04:32 2009 +0100 +++ b/cryptomgmtlibs/cryptotokenfw/inc/securitydefs.h Thu Sep 10 14:01:51 2009 +0300 @@ -1,447 +1,299 @@ -/* -* Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies). -* All rights reserved. -* This component and the accompanying materials are made available -* under the terms of the License "Eclipse Public License v1.0" -* which accompanies this distribution, and is available -* at the URL "http://www.eclipse.org/legal/epl-v10.html". -* -* Initial Contributors: -* Nokia Corporation - initial contribution. -* -* Contributors: -* -* Description: -* General Security Definitions -* -*/ - - - - -/** - @file - @internalAll -*/ - -#ifndef __SECURITYDEFS_H__ -#define __SECURITYDEFS_H__ - -#include -#include - -/** General Security Definitions */ - -// Old keystore interface, deprecated ////////////////////////////////////////// - -/** - * What a key can be used for. - * The values this can take are defined in TKeyUsageVals. - * - * @publishedAll - * @deprecated - */ -typedef TInt TKeyUsage; - -/** - * What a key can be used for. - * - * These values can be ORed together if a key has several usages. EAllKeyUsages - * is used when searching for all keys, rather than ones with a particular - * usage. As these can be combined, TKeyUsage is used to store them. - * - * @publishedAll - * @deprecated - */ -enum TKeyUsageVals - { - EDigitalSignature = 0x80000000, - ENonRepudiation = 0x40000000, - EKeyEncipherment = 0x20000000, - EDataEncipherment = 0x10000000, - EKeyAgreement = 0x08000000, - EKeyCertSign = 0x04000000, - ECRLSign = 0x02000000, - EEncipherOnly = 0x01000000, - EDecipherOnly = 0x00800000, - EAllKeyUsages = -1 - }; - -// End of deprecated keystore API ////////////////////////////////////////////// - -/** - * What a key can be used for - PKCS#15 scheme. - * - * @publishedAll - * @released - */ -enum TKeyUsagePKCS15 - { - EPKCS15UsageEncrypt = 0x001, - EPKCS15UsageDecrypt = 0x002, - EPKCS15UsageSign = 0x004, - EPKCS15UsageSignRecover = 0x008, - EPKCS15UsageWrap = 0x010, - EPKCS15UsageUnwrap = 0x020, - EPKCS15UsageVerify = 0x040, - EPKCS15UsageVerifyRecover = 0x080, - EPKCS15UsageDerive = 0x100, - EPKCS15UsageNonRepudiation = 0x200, - // Common combinations - EPKCS15UsageEncryptWrap = 0x011, - EPKCS15UsageVerifyVerifyRecover = 0x0C0, - EPKCS15UsageDecryptUnwrap = 0x022, - EPKCS15UsageSignSignRecover = 0x00C, - EPKCS15UsageVerifyEncrypt = 0x0D1, - EPKCS15UsageSignDecrypt = 0x02E, - // For use in filters to return all keys - EPKCS15UsageAll = 0xffffffff, - EPKCS15UsageNone = 0x00000000 - }; - -inline TKeyUsagePKCS15 operator|(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight); -inline TKeyUsagePKCS15 operator&(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight); -inline const TKeyUsagePKCS15& operator|=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight); -inline const TKeyUsagePKCS15& operator&=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight); - -/** - * What a key can be used for - X.509 scheme. - * - * @publishedAll - * @released - */ -enum TKeyUsageX509 - { - EX509UsageDigitalSignature = 0x80000000, - EX509UsageNonRepudiation = 0x40000000, - EX509UsageKeyEncipherment = 0x20000000, - EX509UsageDataEncipherment = 0x10000000, - EX509UsageKeyAgreement = 0x08000000, - EX509UsageKeyCertSign = 0x04000000, - EX509UsageCRLSign = 0x02000000, - EX509UsageEncipherOnly = 0x01000000, - EX509UsageDecipherOnly = 0x00800000, - // Values for commonly permitted combinations - EX509UsageAnySign = 0x86000000, - EX509UsageAllEncipher = 0x30000000, - EX509UsageAllSignEncipher = 0xB6000000, - /// For use in filters to return all keys - EX509UsageAll = 0xffffffff, - EX509UsageNone = 0x00000000 - }; - -inline TKeyUsageX509 operator|(TKeyUsageX509 aLeft, TKeyUsageX509 aRight); -inline TKeyUsageX509 operator&(TKeyUsageX509 aLeft, TKeyUsageX509 aRight); -inline const TKeyUsageX509& operator|=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight); -inline const TKeyUsageX509& operator&=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight); - -/** - * - * - * @param aUsage - * @return - */ -IMPORT_C TKeyUsageX509 KeyUsagePKCS15ToX509(TKeyUsagePKCS15 aUsage); - -/** - * - * - * @param aUsage - * @return - */ -IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Private(TKeyUsageX509 aUsage); - -/** - * - * - * @param aUsage - * @return - */ -IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Public(TKeyUsageX509 aUsage); - -/** - * Supported types of certificate format. Note these must be only 1 byte long as - * the file cert store only seralises them as 1 byte. - * - * @publishedAll - * @released - */ -enum TCertificateFormat - { - EX509Certificate = 0x00, - EWTLSCertificate = 0x01, - EX968Certificate = 0x02, - EUnknownCertificate = 0x0f, - EX509CertificateUrl = 0x10, - EWTLSCertificateUrl = 0x11, - EX968CertificateUrl = 0x12 - }; - -/** - * The owner of a certificate. - * - * @publishedAll - * @released - */ -enum TCertificateOwnerType - { - ECACertificate, - EUserCertificate, - EPeerCertificate - }; - -/** The length of a SHA-1 hash - * - * @publishedAll - * @released - */ -const TInt KSHA1HashLengthBytes = 20; - -/** - * A SHA-1 hash. - * - * @publishedAll - * @released - */ -typedef TBuf8 TSHA1Hash; - -//const TInt KMD5HashLengthBytes = 16; -//typedef TMD5Hash TBufC8; - -/** - * A SHA-1 hash is also used as a key identifier. - * - * @publishedAll - * @released - */ -typedef TSHA1Hash TKeyIdentifier; - -/** - * Errors that can occur when validating a certificate chain. - * - * Except EValidatedOK, all these are fatal errors unless specified. - * - * @publishedAll - * @released - */ -enum TValidationError - { - /** Validation OK */ - EValidatedOK, - /** Certificate chain has no root */ - EChainHasNoRoot, - /** Invalid signature */ - ESignatureInvalid, - /** Date out of range */ - EDateOutOfRange, - /** Name is excluded */ - ENameIsExcluded, - /** Name is not permitted */ - ENameNotPermitted, //subtle difference here! - /** Not a CA certificate */ - ENotCACert, - /** Certificate revoked */ - ECertificateRevoked, - /** Unrecognized critical extension */ - EUnrecognizedCriticalExtension, - /** No basic constraint in CA certificate */ - ENoBasicConstraintInCACert, - /** No acceptable policy */ - ENoAcceptablePolicy, - /** Path too long */ - EPathTooLong, - /** Negative path length specified */ - ENegativePathLengthSpecified, - /** Names do not chain */ - ENamesDontChain, - /** Required policy not found */ - ERequiredPolicyNotFound, - /** Bad key usage */ - EBadKeyUsage, - /** - * Root certificate not self-signed. - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ERootCertNotSelfSigned, - /** - * Critical extended key usage - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalExtendedKeyUsage, - /** - * Critical certificate policies with qualifiers - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalCertPoliciesWithQualifiers, - /** - * Critical policy mapping - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalPolicyMapping, - /** - * Critical Device Id - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalDeviceId, - /** - * Critical Sid - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalSid, - /** - * Critical Vid - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalVid, - /** - * Critical Capabilities - * - * We cannot tell if this is fatal or not, as we lack the context. - */ - ECriticalCapabilities - }; - -// Certificate Applicability UIDs - -/** - * This UID is associated with certificates which are trusted for - * software installation of native applications. - * - * @see MCertStore::Applications - * @see MCTWritableCertStore::SetApplicability - * - * @publishedPartner - * @released - */ -const TUid KSwiApplicabilityUid = {0x100042AB}; - -/** - * This UID is associated with certificates which are trusted for - * OCSP checks. - * - * @see MCertStore::Applications - * @see MCTWritableCertStore::SetApplicability - * - * @publishedPartner - * @released - */ -const TUid KSwiOcspApplicabilityUid = {0x1000A8B6}; - -/** - * This UID is associated with certificates which are trusted for - * Java midlet installation. - * - * @see MCertStore::Applications - * @see MCTWritableCertStore::SetApplicability - * - * @publishedPartner - * @released - */ -const TUid KMidletInstallApplicabilityUid = {0x101F9B28}; - -/** - * This UID is associated with certificates which are trusted for - * SSL/TLS connectivity. - * - * @see MCertStore::Applications - * @see MCTWritableCertStore::SetApplicability - * - * @publishedPartner - * @released - */ -const TUid KTlsApplicabilityUid = {0x1000183D}; - -/** - * This OID is associated with X.509 certificates - * trusted for TLS WWW server authentication. - * - * @publishedPartner - * @released - */ -_LIT(KServerAuthOID,"1.3.6.1.5.5.7.3.1"); - -/** - * This OID is associated with X.509 certificates - * trusted for TLS WWW client authentication. - * - * @publishedPartner - * @released - */ - // SSL Client - _LIT(KClientAuthOID,"1.3.6.1.5.5.7.3.2"); - -/** - * This OID is associated with X.509 certificates - * trusted for signing of downloadable executable code. - * - * @publishedPartner - * @released - */ -_LIT(KCodeSigningOID,"1.3.6.1.5.5.7.3.3"); - -/** - * This OID is associated with X.509 certificates - * trusted for email protection . - * - * @publishedPartner - * @released - */ -_LIT(KEmailProtectionOID,"1.3.6.1.5.5.7.3.4"); - -/** - * This OID is associated with X.509 certificates - * trusted for Ipsec end system. - * - * @publishedPartner - * @released - */ -_LIT(KIpsecEndSystemOID,"1.3.6.1.5.5.7.3.5"); - -/** - * This OID is associated with X.509 certificates - * trusted for Ipsec tunnel. - * - * @publishedPartner - * @released - */ -_LIT(KIpsecTunnelOID,"1.3.6.1.5.5.7.3.6"); - -/** - * This OID is associated with X.509 certificates - * trusted for Ipsec user. - * - * @publishedPartner - * @released - */ -_LIT(KIpsecUserOID, "1.3.6.1.5.5.7.3.7"); - -/** - * This OID is associated with X.509 certificates - * trusted for binding the hash of an object to a time. - * - * @publishedPartner - * @released - */ -_LIT(KTimeStampingOID,"1.3.6.1.5.5.7.3.8"); - -/** - * This OID is associated with X.509 certificates - * trusted for signing OCSP responses. - * - * @publishedPartner - * @released - */ -_LIT(KOCSPSigningOID,"1.3.6.1.5.5.7.3.9"); - - - -#include "securitydefs.inl" - -#endif +/* +* Copyright (c) 2001-2009 Nokia Corporation and/or its subsidiary(-ies). +* All rights reserved. +* This component and the accompanying materials are made available +* under the terms of the License "Eclipse Public License v1.0" +* which accompanies this distribution, and is available +* at the URL "http://www.eclipse.org/legal/epl-v10.html". +* +* Initial Contributors: +* Nokia Corporation - initial contribution. +* +* Contributors: +* +* Description: +* General Security Definitions +* +*/ + + +/** + @file + @publishedAll + @released +*/ + +#ifndef __SECURITYDEFS_H__ +#define __SECURITYDEFS_H__ + +#include +#include + +#ifndef SYMBIAN_ENABLE_SPLIT_HEADERS +#include +#endif + +/** General Security Definitions */ + +// Old keystore interface, deprecated ////////////////////////////////////////// + +/** + * What a key can be used for. + * The values this can take are defined in TKeyUsageVals. + * + * @deprecated + */ +typedef TInt TKeyUsage; + +/** + * What a key can be used for. + * + * These values can be ORed together if a key has several usages. EAllKeyUsages + * is used when searching for all keys, rather than ones with a particular + * usage. As these can be combined, TKeyUsage is used to store them. + * + * @deprecated + */ +enum TKeyUsageVals + { + EDigitalSignature = 0x80000000, + ENonRepudiation = 0x40000000, + EKeyEncipherment = 0x20000000, + EDataEncipherment = 0x10000000, + EKeyAgreement = 0x08000000, + EKeyCertSign = 0x04000000, + ECRLSign = 0x02000000, + EEncipherOnly = 0x01000000, + EDecipherOnly = 0x00800000, + EAllKeyUsages = -1 + }; + +// End of deprecated keystore API ////////////////////////////////////////////// + +/** + * What a key can be used for - PKCS#15 scheme. + * + */ +enum TKeyUsagePKCS15 + { + EPKCS15UsageEncrypt = 0x001, + EPKCS15UsageDecrypt = 0x002, + EPKCS15UsageSign = 0x004, + EPKCS15UsageSignRecover = 0x008, + EPKCS15UsageWrap = 0x010, + EPKCS15UsageUnwrap = 0x020, + EPKCS15UsageVerify = 0x040, + EPKCS15UsageVerifyRecover = 0x080, + EPKCS15UsageDerive = 0x100, + EPKCS15UsageNonRepudiation = 0x200, + // Common combinations + EPKCS15UsageEncryptWrap = 0x011, + EPKCS15UsageVerifyVerifyRecover = 0x0C0, + EPKCS15UsageDecryptUnwrap = 0x022, + EPKCS15UsageSignSignRecover = 0x00C, + EPKCS15UsageVerifyEncrypt = 0x0D1, + EPKCS15UsageSignDecrypt = 0x02E, + // For use in filters to return all keys + EPKCS15UsageAll = 0xffffffff, + EPKCS15UsageNone = 0x00000000 + }; + +inline TKeyUsagePKCS15 operator|(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight); +inline TKeyUsagePKCS15 operator&(TKeyUsagePKCS15 aLeft, TKeyUsagePKCS15 aRight); +inline const TKeyUsagePKCS15& operator|=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight); +inline const TKeyUsagePKCS15& operator&=(TKeyUsagePKCS15& aLeft, TKeyUsagePKCS15 aRight); + +/** + * What a key can be used for - X.509 scheme. + * + */ +enum TKeyUsageX509 + { + EX509UsageDigitalSignature = 0x80000000, + EX509UsageNonRepudiation = 0x40000000, + EX509UsageKeyEncipherment = 0x20000000, + EX509UsageDataEncipherment = 0x10000000, + EX509UsageKeyAgreement = 0x08000000, + EX509UsageKeyCertSign = 0x04000000, + EX509UsageCRLSign = 0x02000000, + EX509UsageEncipherOnly = 0x01000000, + EX509UsageDecipherOnly = 0x00800000, + // Values for commonly permitted combinations + EX509UsageAnySign = 0x86000000, + EX509UsageAllEncipher = 0x30000000, + EX509UsageAllSignEncipher = 0xB6000000, + /// For use in filters to return all keys + EX509UsageAll = 0xffffffff, + EX509UsageNone = 0x00000000 + }; + +inline TKeyUsageX509 operator|(TKeyUsageX509 aLeft, TKeyUsageX509 aRight); +inline TKeyUsageX509 operator&(TKeyUsageX509 aLeft, TKeyUsageX509 aRight); +inline const TKeyUsageX509& operator|=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight); +inline const TKeyUsageX509& operator&=(TKeyUsageX509& aLeft, TKeyUsageX509 aRight); + +/** + * + * + * @param aUsage + * @return + */ +IMPORT_C TKeyUsageX509 KeyUsagePKCS15ToX509(TKeyUsagePKCS15 aUsage); + +/** + * + * + * @param aUsage + * @return + */ +IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Private(TKeyUsageX509 aUsage); + +/** + * + * + * @param aUsage + * @return + */ +IMPORT_C TKeyUsagePKCS15 KeyUsageX509ToPKCS15Public(TKeyUsageX509 aUsage); + +/** + * Supported types of certificate format. Note these must be only 1 byte long as + * the file cert store only seralises them as 1 byte. + * + */ +enum TCertificateFormat + { + EX509Certificate = 0x00, + EWTLSCertificate = 0x01, + EX968Certificate = 0x02, + EUnknownCertificate = 0x0f, + EX509CertificateUrl = 0x10, + EWTLSCertificateUrl = 0x11, + EX968CertificateUrl = 0x12 + }; + +/** + * The owner of a certificate. + * + */ +enum TCertificateOwnerType + { + ECACertificate, + EUserCertificate, + EPeerCertificate + }; + +/** The length of a SHA-1 hash + * + */ +const TInt KSHA1HashLengthBytes = 20; + +/** + * A SHA-1 hash. + * + */ +typedef TBuf8 TSHA1Hash; + +//const TInt KMD5HashLengthBytes = 16; +//typedef TMD5Hash TBufC8; + +/** + * A SHA-1 hash is also used as a key identifier. + * + */ +typedef TSHA1Hash TKeyIdentifier; + +/** + * Errors that can occur when validating a certificate chain. + * + * Except EValidatedOK, all these are fatal errors unless specified. + * + */ +enum TValidationError + { + /** Validation OK */ + EValidatedOK, + /** Certificate chain has no root */ + EChainHasNoRoot, + /** Invalid signature */ + ESignatureInvalid, + /** Date out of range */ + EDateOutOfRange, + /** Name is excluded */ + ENameIsExcluded, + /** Name is not permitted */ + ENameNotPermitted, //subtle difference here! + /** Not a CA certificate */ + ENotCACert, + /** Certificate revoked */ + ECertificateRevoked, + /** Unrecognized critical extension */ + EUnrecognizedCriticalExtension, + /** No basic constraint in CA certificate */ + ENoBasicConstraintInCACert, + /** No acceptable policy */ + ENoAcceptablePolicy, + /** Path too long */ + EPathTooLong, + /** Negative path length specified */ + ENegativePathLengthSpecified, + /** Names do not chain */ + ENamesDontChain, + /** Required policy not found */ + ERequiredPolicyNotFound, + /** Bad key usage */ + EBadKeyUsage, + /** + * Root certificate not self-signed. + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ERootCertNotSelfSigned, + /** + * Critical extended key usage + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalExtendedKeyUsage, + /** + * Critical certificate policies with qualifiers + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalCertPoliciesWithQualifiers, + /** + * Critical policy mapping + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalPolicyMapping, + /** + * Critical Device Id + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalDeviceId, + /** + * Critical Sid + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalSid, + /** + * Critical Vid + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalVid, + /** + * Critical Capabilities + * + * We cannot tell if this is fatal or not, as we lack the context. + */ + ECriticalCapabilities + }; + + +#include "securitydefs.inl" + +#endif