]> git.saurik.com Git - apple/security.git/blob - AppleX509TP/TPCertInfo.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-54.1.3.tar.gz
[apple/security.git] / AppleX509TP / TPCertInfo.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 * TPCertInfo.h - TP's private certificate info and cert group classes
21 *
22 * Written 10/23/2000 by Doug Mitchell.
23 */
24
25 #ifndef _TP_CERT_INFO_H_
26 #define _TP_CERT_INFO_H_
27
28 #include <Security/cssmtype.h>
29 #include <Security/utilities.h>
30 #include <Security/cssmalloc.h>
31 #include <Security/threading.h>
32 #include <Security/globalizer.h>
33
34 /*** Interim hack, disable not before/not after checking during cert chain processing ***/
35 /*** code #ifdef'd with this gets ripped out later ***/
36 #define TP_CERT_CURRENT_CHECK_INLINE 0
37
38 /* protects TP-wide access to time() and gmtime() */
39 extern ModuleNexus<Mutex> tpTimeLock;
40
41 /*
42 * Class representing one certificate. The raw cert data usually comes from
43 * a client (via incoming cert groups in CertGroupConstruct() and CertGroupVerify());
44 * In this case, we don't own the raw data and don't copy or free it. Caller can
45 * optionally specify that we copy (and own and eventnually free) the raw cert data.
46 * The constructor throws on any error (bad cert data); subsequent to successful
47 * construction, no CSSM errors are thrown and it's guaranteed that the cert is
48 * basically good and successfully cached in the CL, and that we have a locally
49 * cached subject and issuer name (in normalized encoded format).
50 */
51 class TPCertInfo
52 {
53 public:
54 /*
55 * No default constructor - this is the only way.
56 * This caches the cert and fetches subjectName and issuerName
57 * to ensure the incoming certData is well-constructed.
58 */
59 TPCertInfo(
60 const CSSM_DATA *certData,
61 CSSM_CL_HANDLE clHand,
62 const char *cssmTimeStr = NULL, // NULL ==> time base = right now
63 bool copyCertData = false); // true: we copy, we free
64 // false - caller owns
65
66 /* frees mSubjectName, mIssuerName, mCacheHand via mClHand */
67 ~TPCertInfo();
68
69 /*
70 * Fetch arbitrary field from cached cert.
71 * Only should be used when caller is sure there is either zero or one
72 * of the requested fields present in the cert.
73 */
74 CSSM_RETURN fetchField(
75 const CSSM_OID *fieldOid,
76 CSSM_DATA_PTR *fieldData); // mallocd by CL and RETURNED
77
78 /* free arbitrary field obtained from fetchField() */
79 CSSM_RETURN freeField(
80 const CSSM_OID *fieldOid,
81 CSSM_DATA_PTR fieldData);
82
83 /* accessors */
84 CSSM_CL_HANDLE clHand();
85 CSSM_HANDLE cacheHand();
86 const CSSM_DATA *certData();
87 const CSSM_DATA *subjectName();
88 const CSSM_DATA *issuerName();
89
90 bool isSelfSigned() { return mIsRoot; }
91 bool isExpired() { return mExpired; }
92 bool isNotValidYet() { return mNotValidYet; }
93
94 unsigned index() { return mIndex; }
95 void index(unsigned dex) { mIndex = dex; }
96 bool isAnchor() { return mIsAnchor; }
97 void isAnchor(bool a) { mIsAnchor = a; }
98 unsigned numStatusCodes() { return mNumStatusCodes; }
99 CSSM_RETURN *statusCodes() { return mStatusCodes; }
100 void addStatusCode(CSSM_RETURN code);
101 CSSM_DL_DB_HANDLE dlDbHandle() { return mDlDbHandle; }
102 void dlDbHandle(CSSM_DL_DB_HANDLE hand)
103 { mDlDbHandle = hand; }
104 CSSM_DB_UNIQUE_RECORD_PTR uniqueRecord()
105 { return mUniqueRecord; }
106 void uniqueRecord(CSSM_DB_UNIQUE_RECORD_PTR rec)
107 { mUniqueRecord = rec; }
108
109 /*
110 * Verify validity (not before/after). Returns
111 * CSSMERR_TP_CERT_NOT_VALID_YET
112 * CSSMERR_TP_CERT_EXPIRED
113 * CSSM_OK
114 * CSSMERR_TP_INVALID_CERT_POINTER, other "bogus cert" errors
115 */
116 CSSM_RETURN isCurrent(
117 CSSM_BOOL allowExpired = CSSM_FALSE);
118
119 private:
120 CSSM_DATA *mCertData; // always valid
121 bool mWeOwnTheData; // if true, we have to free mCertData
122 CSSM_CL_HANDLE mClHand; // always valid
123 CSSM_HANDLE mCacheHand; // always valid
124 CSSM_DATA_PTR mSubjectName; // always valid
125 CSSM_DATA_PTR mIssuerName; // always valid
126
127 /* maintained by caller, default at constructor 0/false */
128 unsigned mIndex;
129 bool mIsAnchor;
130 bool mIsFromDb;
131 unsigned mNumStatusCodes;
132 CSSM_RETURN *mStatusCodes;
133 CSSM_DL_DB_HANDLE mDlDbHandle;
134 CSSM_DB_UNIQUE_RECORD_PTR mUniqueRecord;
135
136 /* calculated implicitly at construction */
137 bool mExpired;
138 bool mNotValidYet;
139 bool mIsRoot; // i.e., subject == issuer
140
141 void releaseResources();
142 void calculateCurrent(
143 const char *cssmTimeStr = NULL); // set mExpired, mNotValidYet
144
145 };
146
147 /*
148 * TP's private Cert Group class. Provides a list of TPCertInfo pointers, to which
149 * caller can append additional elements, access an element at an arbitrary position,
150 * and remover an element at an arbitrrary position.
151 */
152 class TPCertGroup
153 {
154 public:
155 /*
156 * No default constructor - use this to cook up an instance with
157 * space for numCerts TPCertInfos.
158 */
159 TPCertGroup(
160 CssmAllocator &alloc,
161 unsigned numCerts);
162
163 /*
164 * Deletes all TPCertInfo's.
165 */
166 ~TPCertGroup();
167
168 /* add/remove/access TPTCertInfo's. */
169 void appendCert(
170 TPCertInfo *certInfo); // appends to end of mCertInfo
171 TPCertInfo *certAtIndex(
172 unsigned index);
173 TPCertInfo *removeCertAtIndex(
174 unsigned index); // doesn't delete the cert, just
175 // removes it from our list
176 unsigned numCerts(); // how many do we have?
177
178 /*
179 * Convenience accessors for first and last cert, only valid when we have
180 * at least one cert.
181 */
182 TPCertInfo *firstCert();
183 TPCertInfo *lastCert();
184
185 /* build a CSSM_CERTGROUP corresponding with our mCertInfo */
186 CSSM_CERTGROUP_PTR buildCssmCertGroup();
187
188 /* build a CSSM_TP_APPLE_EVIDENCE_INFO array corresponding with our
189 * mCertInfo */
190 CSSM_TP_APPLE_EVIDENCE_INFO *buildCssmEvidenceInfo();
191
192 /* Given a status for basic construction of a cert group and a status
193 * of (optional) policy verification, plus the implicit notBefore/notAfter
194 * status in the certs, calculate a global return code. This just
195 * encapsulates a policy for CertGroupeConstruct and CertGroupVerify.
196 */
197 CSSM_RETURN getReturnCode(
198 CSSM_RETURN constructStatus,
199 CSSM_BOOL allowExpired,
200 CSSM_BOOL allowExpiredRoot,
201 CSSM_RETURN policyStatus = CSSM_OK);
202
203 CssmAllocator
204 &alloc() {return mAlloc; }
205
206 private:
207 CssmAllocator &mAlloc;
208 TPCertInfo **mCertInfo; // just an array of pointers
209 unsigned mNumCerts; // valid certs in certInfo
210 unsigned mSizeofCertInfo; // mallocd space in certInfo
211 };
212 #endif /* _TP_CERT_INFO_H_ */
mirror of Security