Home | History | Annotate | Download | only in include
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License (the "License").
      6  * You may not use this file except in compliance with the License.
      7  *
      8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
      9  * or http://www.opensolaris.org/os/licensing.
     10  * See the License for the specific language governing permissions
     11  * and limitations under the License.
     12  *
     13  * When distributing Covered Code, include this CDDL HEADER in each
     14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     15  * If applicable, add the following below this CDDL HEADER, with the
     16  * fields enclosed by brackets "[]" replaced with your own identifying
     17  * information: Portions Copyright [yyyy] [name of copyright owner]
     18  *
     19  * CDDL HEADER END
     20  *
     21  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
     22  * Use is subject to license terms.
     23  */
     24 #ifndef _KMFPOLICY_H
     25 #define	_KMFPOLICY_H
     26 
     27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
     28 
     29 #include <kmfapi.h>
     30 #include <libxml/tree.h>
     31 #include <libxml/parser.h>
     32 
     33 #ifdef __cplusplus
     34 extern "C" {
     35 #endif
     36 
     37 typedef struct {
     38 	char		*name;
     39 	char		*serial;
     40 }KMF_RESP_CERT_POLICY;
     41 
     42 typedef struct {
     43 	char		*responderURI;
     44 	char		*proxy;
     45 	boolean_t 	uri_from_cert;
     46 	char		*response_lifetime;
     47 	boolean_t	ignore_response_sign;
     48 }KMF_OCSP_BASIC_POLICY;
     49 
     50 typedef struct {
     51 	KMF_OCSP_BASIC_POLICY	basic;
     52 	KMF_RESP_CERT_POLICY	resp_cert;
     53 	boolean_t		has_resp_cert;
     54 }KMF_OCSP_POLICY;
     55 
     56 typedef struct {
     57 	char *basefilename;
     58 	char *directory;
     59 	char *proxy;
     60 	boolean_t get_crl_uri;
     61 	boolean_t ignore_crl_sign;
     62 	boolean_t ignore_crl_date;
     63 }KMF_CRL_POLICY;
     64 
     65 typedef struct {
     66 	KMF_OCSP_POLICY	ocsp_info;
     67 	KMF_CRL_POLICY	crl_info;
     68 }KMF_VALIDATION_POLICY;
     69 
     70 typedef struct {
     71 	int		eku_count;
     72 	KMF_OID		*ekulist;
     73 }KMF_EKU_POLICY;
     74 
     75 
     76 #define	KMF_REVOCATION_METHOD_CRL		0x1
     77 #define	KMF_REVOCATION_METHOD_OCSP		0x2
     78 
     79 
     80 typedef struct {
     81 	char			*name;
     82 	KMF_VALIDATION_POLICY	validation_info;
     83 	KMF_EKU_POLICY		eku_set;
     84 	uint32_t		ku_bits;
     85 	boolean_t		ignore_date;
     86 	boolean_t		ignore_unknown_ekus;
     87 	boolean_t		ignore_trust_anchor;
     88 	char			*validity_adjusttime;
     89 	char			*ta_name;
     90 	char			*ta_serial;
     91 	uint32_t		revocation;
     92 } KMF_POLICY_RECORD;
     93 
     94 
     95 /*
     96  * Short cut for ocsp_info and etc.
     97  */
     98 #define	VAL_OCSP			validation_info.ocsp_info
     99 
    100 #define	VAL_OCSP_BASIC			VAL_OCSP.basic
    101 #define	VAL_OCSP_RESPONDER_URI		VAL_OCSP_BASIC.responderURI
    102 #define	VAL_OCSP_PROXY			VAL_OCSP_BASIC.proxy
    103 #define	VAL_OCSP_URI_FROM_CERT		VAL_OCSP_BASIC.uri_from_cert
    104 #define	VAL_OCSP_RESP_LIFETIME		VAL_OCSP_BASIC.response_lifetime
    105 #define	VAL_OCSP_IGNORE_RESP_SIGN	VAL_OCSP_BASIC.ignore_response_sign
    106 
    107 #define	VAL_OCSP_RESP_CERT		VAL_OCSP.resp_cert
    108 #define	VAL_OCSP_RESP_CERT_NAME		VAL_OCSP_RESP_CERT.name
    109 #define	VAL_OCSP_RESP_CERT_SERIAL	VAL_OCSP_RESP_CERT.serial
    110 
    111 /*
    112  * Short cut for crl_info and etc.
    113  */
    114 #define	VAL_CRL			validation_info.crl_info
    115 #define	VAL_CRL_BASEFILENAME	validation_info.crl_info.basefilename
    116 #define	VAL_CRL_DIRECTORY	validation_info.crl_info.directory
    117 #define	VAL_CRL_GET_URI		validation_info.crl_info.get_crl_uri
    118 #define	VAL_CRL_PROXY		validation_info.crl_info.proxy
    119 #define	VAL_CRL_IGNORE_SIGN	validation_info.crl_info.ignore_crl_sign
    120 #define	VAL_CRL_IGNORE_DATE	validation_info.crl_info.ignore_crl_date
    121 
    122 /*
    123  * Policy related constant definitions.
    124  */
    125 #define	KMF_POLICY_DTD		"/usr/share/lib/xml/dtd/kmfpolicy.dtd"
    126 #define	KMF_DEFAULT_POLICY_FILE	"/etc/security/kmfpolicy.xml"
    127 
    128 #define	KMF_DEFAULT_POLICY_NAME	"default"
    129 
    130 #define	KMF_POLICY_ROOT	"kmf-policy-db"
    131 
    132 #define	KULOWBIT	7
    133 #define	KUHIGHBIT	15
    134 
    135 #define	KMF_POLICY_ELEMENT		"kmf-policy"
    136 #define	KMF_POLICY_NAME_ATTR		"name"
    137 #define	KMF_OPTIONS_IGNORE_DATE_ATTR	"ignore-date"
    138 #define	KMF_OPTIONS_IGNORE_UNKNOWN_EKUS	"ignore-unknown-eku"
    139 #define	KMF_OPTIONS_IGNORE_TRUST_ANCHOR	"ignore-trust-anchor"
    140 #define	KMF_OPTIONS_VALIDITY_ADJUSTTIME	"validity-adjusttime"
    141 #define	KMF_POLICY_TA_NAME_ATTR		"ta-name"
    142 #define	KMF_POLICY_TA_SERIAL_ATTR	"ta-serial"
    143 
    144 #define	KMF_VALIDATION_METHODS_ELEMENT	"validation-methods"
    145 
    146 #define	KMF_OCSP_ELEMENT		"ocsp"
    147 #define	KMF_OCSP_BASIC_ELEMENT		"ocsp-basic"
    148 #define	KMF_OCSP_RESPONDER_ATTR		"responder"
    149 #define	KMF_OCSP_PROXY_ATTR		"proxy"
    150 #define	KMF_OCSP_URI_ATTR		"uri-from-cert"
    151 #define	KMF_OCSP_RESPONSE_LIFETIME_ATTR	"response-lifetime"
    152 #define	KMF_OCSP_IGNORE_SIGN_ATTR	"ignore-response-sign"
    153 #define	KMF_OCSP_RESPONDER_CERT_ELEMENT	"responder-cert"
    154 
    155 #define	KMF_CERT_NAME_ATTR		"name"
    156 #define	KMF_CERT_SERIAL_ATTR		"serial"
    157 
    158 #define	KMF_CRL_ELEMENT			"crl"
    159 #define	KMF_CRL_BASENAME_ATTR		"basefilename"
    160 #define	KMF_CRL_DIRECTORY_ATTR		"directory"
    161 #define	KMF_CRL_GET_URI_ATTR		"get-crl-uri"
    162 #define	KMF_CRL_PROXY_ATTR		"proxy"
    163 #define	KMF_CRL_IGNORE_SIGN_ATTR	"ignore-crl-sign"
    164 #define	KMF_CRL_IGNORE_DATE_ATTR	"ignore-crl-date"
    165 
    166 #define	KMF_KEY_USAGE_SET_ELEMENT	"key-usage-set"
    167 #define	KMF_KEY_USAGE_ELEMENT		"key-usage"
    168 #define	KMF_KEY_USAGE_USE_ATTR		"use"
    169 
    170 #define	KMF_EKU_ELEMENT		"ext-key-usage"
    171 #define	KMF_EKU_NAME_ELEMENT	"eku-name"
    172 #define	KMF_EKU_NAME_ATTR	"name"
    173 #define	KMF_EKU_OID_ELEMENT	"eku-oid"
    174 #define	KMF_EKU_OID_ATTR	"oid"
    175 
    176 #define	TMPFILE_TEMPLATE	"policyXXXXXX"
    177 
    178 extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *);
    179 
    180 extern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *);
    181 extern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t);
    182 extern KMF_RETURN kmf_delete_policy_from_db(char *, char *);
    183 extern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *);
    184 
    185 extern void kmf_free_policy_record(KMF_POLICY_RECORD *);
    186 extern void kmf_free_eku_policy(KMF_EKU_POLICY *);
    187 
    188 #ifdef __cplusplus
    189 }
    190 #endif
    191 #endif /* _KMFPOLICY_H */
    192