]> git.saurik.com Git - apple/security.git/blob - libsecurity_apple_x509_tp/lib/tpCrlVerify.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-55471.14.tar.gz
[apple/security.git] / libsecurity_apple_x509_tp / lib / tpCrlVerify.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 * tpCrlVerify.h - routines to verify CRLs and to verify certs against CRLs.
21 *
22 * Written 9/26/02 by Doug Mitchell.
23 */
24
25 #ifndef _TP_CRL_VERIFY_H_
26 #define _TP_CRL_VERIFY_H_
27
28 #include <Security/cssmtype.h>
29 #include <security_utilities/alloc.h>
30 #include <Security/cssmapple.h>
31 #include <Security/cssmapplePriv.h>
32
33 class TPCertInfo;
34 class TPCertGroup;
35 class TPCrlInfo;
36 class TPCrlGroup;
37
38 /*
39 * Enumerated CRL policies enforced by this module.
40 */
41 typedef enum {
42 kRevokeNone, /* no revocation checking */
43 kRevokeCrlBasic,
44 kRevokeOcsp
45 } TPRevocationPolicy;
46
47 /* Module-specific default policy */
48 #define TP_CRL_POLICY_DEFAULT kRevokeNone
49
50 /*
51 * Various parameters widely used in any operation involving CRL and
52 * OCSP verification. Most fields are optional.
53 */
54 class TPVerifyContext {
55 NOCOPY(TPVerifyContext)
56 public:
57 TPVerifyContext(
58 Allocator &_alloc,
59 CSSM_CL_HANDLE _clHand,
60 CSSM_CSP_HANDLE _cspHand,
61 CSSM_TIMESTRING _verifyTime,
62 uint32 _numAnchorCerts,
63 const CSSM_DATA *_anchorCerts,
64 TPCertGroup *_signerCerts,
65 TPCrlGroup *_inputCrls,
66 TPCertGroup &_gatheredCerts,
67 CSSM_DL_DB_LIST_PTR _dbList,
68 TPRevocationPolicy _policy,
69 CSSM_APPLE_TP_ACTION_FLAGS _actionFlags,
70 CSSM_APPLE_TP_CRL_OPTIONS *_crlOpts,
71 CSSM_APPLE_TP_OCSP_OPTIONS *_ocspOpts,
72 const CSSM_OID *_policyOid,
73 const char *_policyStr,
74 uint32 _policyStrLen,
75 CSSM_KEYUSE _keyUse)
76 : alloc(_alloc),
77 clHand(_clHand),
78 cspHand(_cspHand),
79 verifyTime(_verifyTime),
80 numAnchorCerts(_numAnchorCerts),
81 anchorCerts(_anchorCerts),
82 signerCerts(_signerCerts),
83 inputCrls(_inputCrls),
84 gatheredCerts(_gatheredCerts),
85 dbList(_dbList),
86 policy(_policy),
87 actionFlags(_actionFlags),
88 crlOpts(_crlOpts),
89 ocspOpts(_ocspOpts),
90 policyOid(_policyOid),
91 policyStr(_policyStr),
92 policyStrLen(_policyStrLen),
93 keyUse(_keyUse)
94 { }
95
96 ~TPVerifyContext() { }
97
98 Allocator &alloc;
99 CSSM_CL_HANDLE clHand;
100 CSSM_CSP_HANDLE cspHand;
101
102 /*
103 * NULL means "verify for this momemt", otherwise indicates
104 * time at which an entity is to be verified.
105 */
106 CSSM_TIMESTRING verifyTime;
107
108 /* trusted anchors */
109 /* FIXME - maybe this should be a TPCertGroup */
110 uint32 numAnchorCerts;
111 const CSSM_DATA *anchorCerts;
112
113 /*
114 * Intermediate signing certs. Always present.
115 * This could come from the raw cert group to be verified
116 * in CertGroupVerify(), or the explicit SignerCertGroup in
117 * CrlVerify(). IN both cases the cert group owns the certs and
118 * eventually frees them. These certs have not been verified in any
119 * way other than to ensure that they parse and have been cached
120 * by the CL.
121 */
122 TPCertGroup *signerCerts;
123
124 /* Raw CRLs provided by caller, state unknown, optional */
125 TPCrlGroup *inputCrls;
126
127 /*
128 * Other certificates gathered during the course of this operation,
129 * currently consisting of certs fetched from DBs and from the net.
130 * This is currently set to AppleTPSession::CertGroupVerify's
131 * certsToBeFreed, to include certs fetched from the net (a
132 * significant optimization) and from DLDB (a side effect, also
133 * a slight optimization).
134 */
135 TPCertGroup &gatheredCerts;
136
137 /* can contain certs and/or CRLs */
138 CSSM_DL_DB_LIST_PTR dbList;
139
140 TPRevocationPolicy policy;
141 CSSM_APPLE_TP_ACTION_FLAGS actionFlags;
142
143 /* one of these valid, depends on policy */
144 const CSSM_APPLE_TP_CRL_OPTIONS *crlOpts;
145 const CSSM_APPLE_TP_OCSP_OPTIONS *ocspOpts;
146
147 /* optional user trust parameters */
148 const CSSM_OID *policyOid;
149 const char *policyStr;
150 uint32 policyStrLen;
151 CSSM_KEYUSE keyUse;
152 };
153
154 extern "C" {
155
156 /* CRL - specific */
157 CSSM_RETURN tpVerifyCertGroupWithCrls(
158 TPVerifyContext &tpVerifyContext,
159 TPCertGroup &certGroup); // to be verified
160
161 /* general purpose, switch to policy-specific code based on TPVerifyContext.policy */
162 CSSM_RETURN tpRevocationPolicyVerify(
163 TPVerifyContext &tpVerifyContext,
164 TPCertGroup &certGroup); // to be verified
165
166 }
167
168 #endif /* _TP_CRL_VERIFY_H_ */
mirror of Security