+++ /dev/null
-/*
- * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- * tpCrlVerify.h - routines to verify CRLs and to verify certs against CRLs.
- *
- * Written 9/26/02 by Doug Mitchell.
- */
-
-#ifndef _TP_CRL_VERIFY_H_
-#define _TP_CRL_VERIFY_H_
-
-#include <Security/cssmtype.h>
-#include <security_utilities/alloc.h>
-#include <Security/cssmapple.h>
-#include <Security/cssmapplePriv.h>
-
-class TPCertInfo;
-class TPCertGroup;
-class TPCrlInfo;
-class TPCrlGroup;
-
-/*
- * Enumerated CRL policies enforced by this module.
- */
-typedef enum {
- kRevokeNone, /* no revocation checking */
- kRevokeCrlBasic,
- kRevokeOcsp
-} TPRevocationPolicy;
-
-/* Module-specific default policy */
-#define TP_CRL_POLICY_DEFAULT kRevokeNone
-
-/*
- * Various parameters widely used in any operation involving CRL and
- * OCSP verification. Most fields are optional.
- */
-class TPVerifyContext {
- NOCOPY(TPVerifyContext)
-public:
- TPVerifyContext(
- Allocator &_alloc,
- CSSM_CL_HANDLE _clHand,
- CSSM_CSP_HANDLE _cspHand,
- CSSM_TIMESTRING _verifyTime,
- uint32 _numAnchorCerts,
- const CSSM_DATA *_anchorCerts,
- TPCertGroup *_signerCerts,
- TPCrlGroup *_inputCrls,
- TPCertGroup &_gatheredCerts,
- CSSM_DL_DB_LIST_PTR _dbList,
- TPRevocationPolicy _policy,
- CSSM_APPLE_TP_ACTION_FLAGS _actionFlags,
- CSSM_APPLE_TP_CRL_OPTIONS *_crlOpts,
- CSSM_APPLE_TP_OCSP_OPTIONS *_ocspOpts,
- const CSSM_OID *_policyOid,
- const char *_policyStr,
- uint32 _policyStrLen,
- CSSM_KEYUSE _keyUse)
- : alloc(_alloc),
- clHand(_clHand),
- cspHand(_cspHand),
- verifyTime(_verifyTime),
- numAnchorCerts(_numAnchorCerts),
- anchorCerts(_anchorCerts),
- signerCerts(_signerCerts),
- inputCrls(_inputCrls),
- gatheredCerts(_gatheredCerts),
- dbList(_dbList),
- policy(_policy),
- actionFlags(_actionFlags),
- crlOpts(_crlOpts),
- ocspOpts(_ocspOpts),
- policyOid(_policyOid),
- policyStr(_policyStr),
- policyStrLen(_policyStrLen),
- keyUse(_keyUse)
- { }
-
- ~TPVerifyContext() { }
-
- Allocator &alloc;
- CSSM_CL_HANDLE clHand;
- CSSM_CSP_HANDLE cspHand;
-
- /*
- * NULL means "verify for this momemt", otherwise indicates
- * time at which an entity is to be verified.
- */
- CSSM_TIMESTRING verifyTime;
-
- /* trusted anchors */
- /* FIXME - maybe this should be a TPCertGroup */
- uint32 numAnchorCerts;
- const CSSM_DATA *anchorCerts;
-
- /*
- * Intermediate signing certs. Always present.
- * This could come from the raw cert group to be verified
- * in CertGroupVerify(), or the explicit SignerCertGroup in
- * CrlVerify(). IN both cases the cert group owns the certs and
- * eventually frees them. These certs have not been verified in any
- * way other than to ensure that they parse and have been cached
- * by the CL.
- */
- TPCertGroup *signerCerts;
-
- /* Raw CRLs provided by caller, state unknown, optional */
- TPCrlGroup *inputCrls;
-
- /*
- * Other certificates gathered during the course of this operation,
- * currently consisting of certs fetched from DBs and from the net.
- * This is currently set to AppleTPSession::CertGroupVerify's
- * certsToBeFreed, to include certs fetched from the net (a
- * significant optimization) and from DLDB (a side effect, also
- * a slight optimization).
- */
- TPCertGroup &gatheredCerts;
-
- /* can contain certs and/or CRLs */
- CSSM_DL_DB_LIST_PTR dbList;
-
- TPRevocationPolicy policy;
- CSSM_APPLE_TP_ACTION_FLAGS actionFlags;
-
- /* one of these valid, depends on policy */
- const CSSM_APPLE_TP_CRL_OPTIONS *crlOpts;
- const CSSM_APPLE_TP_OCSP_OPTIONS *ocspOpts;
-
- /* optional user trust parameters */
- const CSSM_OID *policyOid;
- const char *policyStr;
- uint32 policyStrLen;
- CSSM_KEYUSE keyUse;
-};
-
-extern "C" {
-
-/* CRL - specific */
-CSSM_RETURN tpVerifyCertGroupWithCrls(
- TPVerifyContext &tpVerifyContext,
- TPCertGroup &certGroup); // to be verified
-
-/* general purpose, switch to policy-specific code based on TPVerifyContext.policy */
-CSSM_RETURN tpRevocationPolicyVerify(
- TPVerifyContext &tpVerifyContext,
- TPCertGroup &certGroup); // to be verified
-
-}
-
-#endif /* _TP_CRL_VERIFY_H_ */
projects / apple / security.git / blobdiff