/*
- * DecodedCert.h - object representing a snacc-decoded cert, with extensions
- * parsed and decoded (still in snacc format).
+ * DecodedCert.h - object representing an NSS-decoded cert, with extensions
+ * parsed and decoded (still in NSS format).
*
* Created 9/1/2000 by Doug Mitchell.
* Copyright (c) 2000 by Apple Computer.
*
- * This object is how we store certs, both when caching them (explicitly or
- * during a search), and as an intermediate stage during template (TBS, or
- * to-be-signed cert) construction. This is a subclass of the SNACC-generated class
- * Certificate; the main functionality we add is the parsing and decoding of
- * Extensions. Extensions are not decoded in class Certificate beyond the level
- * of the X.509 Extension object, which just contains the ID (an OID), the
- * critical flag, and an octet string containing an ID-specific thing.
- *
- * When we decode a cert or a TBS, we also parse the Extension objects, decoding
- * then into specific SNACC classes like KeyUsage or BasicConstriantsSyntax. We
- * keep these decoded extensions in a list of DecodedExten structs. GetCertField
- * ops which access extensions access these DecodedExten structs.
- *
- * When creating a cert template (TBS), each incoming field associated with an
- * extension is translated into an object like a (SNACC) KeyUsage and stored in
- * our DecodedExten list.
- *
- * When encoding a TBS, we BER-encode each of the SNACC objects (KeyUsage, etc.)
- * in our list of DecodedExtens, wrapthe result in an Octet string (actually an
- * AsnOcts) and store it in the SNACC-generated CertificateToSign's extensions
- * list.
- *
- * Support for extensions which we don't understand is handled as follows. When
- * setting cert fields for such extensions during template construction, the app
- * has to BER-encode the underlying extension. We just wrap this in an octet string
- * (AsnOcts) and store the result in a DecodedExten without further ado. When
- * encoding the TBS, this octet string is just copied into the CertificateToSign's
- * Extension list without further ado. When decoding a cert, if we find an
- * extension we don't understand, the SNACC object stored in the DecodedExten
- * is just a copy of the AsnOcts (which is the BER encoding of the underlying
- * mystery extension wrapped in an Octet string). We pass back the Octet string's
- * contents (*not* the BER-encoded octet string) during a GetCertField op.
+ * See DecodedItem.h for details on the care and feeding of this
+ * module.
*/
#ifndef _DECODED_CERT_H_
#include <Security/cssmtype.h>
#include <Security/cssmdata.h>
-#include <Security/asn-incl.h>
-#include <Security/sm_vdatypes.h>
-#include <Security/sm_x501if.h>
-#include <Security/sm_x520sa.h>
-#include <Security/sm_x411mtsas.h>
-#include <Security/sm_x509cmn.h>
-#include <Security/sm_x509af.h>
-#include <Security/pkcs9oids.h>
-#include <Security/sm_x509ce.h>
-#include <Security/sm_cms.h>
-#include <Security/sm_ess.h>
-
-/* state of a DecodedCert */
-typedef enum {
- CS_Empty,
- CS_DecodedCert, // can't set fields in this state
- CS_DecodedTBS, // ditto
- CS_Building // in the process of setting fields
-} CertState;
-
-/* means for holding decoded extensions */
-typedef struct {
- AsnOid *extnId;
- bool critical;
- AsnType *snaccObj; // KeyUsage, BasicConstraintsSyntax, etc.
- bool berEncoded; // indicates unknown extension which we
- // do not BER-decode when parsing a cert
-} DecodedExten;
+#include "DecodedItem.h"
+#include <SecurityNssAsn1/X509Templates.h>
+#include <SecurityNssAsn1/SecNssCoder.h>
-class AppleX509CLSession;
-
-class DecodedCert : public Certificate
+class DecodedCert : public DecodedItem
{
+ NOCOPY(DecodedCert)
public:
/* construct empty cert, no decoded extensions */
DecodedCert(
~DecodedCert();
+ void encodeExtensions();
+
/* decode TBSCert and its extensions */
void decodeTbs(
const CssmData &encodedTbs);
const CssmOid &fieldId, // which field
unsigned index, // which occurrence (0 = first)
uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue) const; // RETURNED
+ CssmOwnedData &fieldValue); // RETURNED
/*
* Set the field specified by fieldId in TBS.
CssmAllocator &alloc) const;
CSSM_KEYUSE inferKeyUsage() const;
-
-private:
-
- /***
- *** Extensions support (CertExtensions.cpp)
- ***/
-
- /* decode extensions ==> mExtensions */
- void decodeExtensions();
-
- /* encode mExtensions ==> tbs->Extensions */
- void encodeExtensions();
-
- /* called from decodeExtensions and setField* */
- void addExtension(
- AsnType *snaccThing, // e.g. KeyUsage
- const AsnOid &extnId,
- bool critical,
- bool berEncoded);
-
-public:
-
- /* as above, CSSM-centric OID */
- void addExtension(
- AsnType *snaccThing, // e.g. KeyUsage
- const CSSM_OID &extnId,
- bool critical,
- bool berEncoded)
- {
- AsnOid snaccOid(reinterpret_cast<char *>(extnId.Data), extnId.Length);
- addExtension(snaccThing, snaccOid, critical, berEncoded);
- }
-
- /* called from getField* and inferKeyUsage */
- /* returns NULL if not found */
- DecodedExten *findDecodedExt(
- const AsnOid &extnId, // for known extensions
- bool unknown, // otherwise
- uint32 index,
- uint32 &numFields) const;
-
-private:
- CertState mState;
- DecodedExten *mExtensions;
- unsigned mNumExtensions; // # valid DecodedExtens
- unsigned mSizeofExtensions; // mallocd size in DecodedExten
- CssmAllocator &alloc;
- AppleX509CLSession &mSession;
- void reset()
- {
- mState = CS_Empty;
- mExtensions = NULL;
- mNumExtensions = 0;
- mSizeofExtensions = 0;
- }
+ NSS_Certificate mCert;
};
#endif /* _DECODED_CERT_H_ */
projects / apple / security.git / blobdiff