1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. 22 */ 23 #ifndef _KMFPOLICY_H 24 #define _KMFPOLICY_H 25 26 #include <kmfapi.h> 27 #include <kmfmapper.h> 28 #include <libxml/tree.h> 29 #include <libxml/parser.h> 30 31 #ifdef __cplusplus 32 extern "C" { 33 #endif 34 35 typedef struct { 36 char *name; 37 char *serial; 38 }KMF_RESP_CERT_POLICY; 39 40 typedef struct { 41 char *responderURI; 42 char *proxy; 43 boolean_t uri_from_cert; 44 char *response_lifetime; 45 boolean_t ignore_response_sign; 46 }KMF_OCSP_BASIC_POLICY; 47 48 typedef struct { 49 KMF_OCSP_BASIC_POLICY basic; 50 KMF_RESP_CERT_POLICY resp_cert; 51 boolean_t has_resp_cert; 52 }KMF_OCSP_POLICY; 53 54 typedef struct { 55 char *basefilename; 56 char *directory; 57 char *proxy; 58 boolean_t get_crl_uri; 59 boolean_t ignore_crl_sign; 60 boolean_t ignore_crl_date; 61 }KMF_CRL_POLICY; 62 63 typedef struct { 64 KMF_OCSP_POLICY ocsp_info; 65 KMF_CRL_POLICY crl_info; 66 }KMF_VALIDATION_POLICY; 67 68 typedef struct { 69 int eku_count; 70 KMF_OID *ekulist; 71 }KMF_EKU_POLICY; 72 73 #define KMF_REVOCATION_METHOD_CRL 0x1 74 #define KMF_REVOCATION_METHOD_OCSP 0x2 75 76 typedef struct { 77 char *name; 78 KMF_VALIDATION_POLICY validation_info; 79 KMF_EKU_POLICY eku_set; 80 KMF_MAPPER_RECORD mapper; /* kmfmapper.h */ 81 uint32_t ku_bits; 82 boolean_t ignore_date; 83 boolean_t ignore_unknown_ekus; 84 boolean_t ignore_trust_anchor; 85 char *validity_adjusttime; 86 char *ta_name; 87 char *ta_serial; 88 uint32_t revocation; 89 } KMF_POLICY_RECORD; 90 91 92 /* 93 * Short cut for ocsp_info and etc. 94 */ 95 #define VAL_OCSP validation_info.ocsp_info 96 97 #define VAL_OCSP_BASIC VAL_OCSP.basic 98 #define VAL_OCSP_RESPONDER_URI VAL_OCSP_BASIC.responderURI 99 #define VAL_OCSP_PROXY VAL_OCSP_BASIC.proxy 100 #define VAL_OCSP_URI_FROM_CERT VAL_OCSP_BASIC.uri_from_cert 101 #define VAL_OCSP_RESP_LIFETIME VAL_OCSP_BASIC.response_lifetime 102 #define VAL_OCSP_IGNORE_RESP_SIGN VAL_OCSP_BASIC.ignore_response_sign 103 104 #define VAL_OCSP_RESP_CERT VAL_OCSP.resp_cert 105 #define VAL_OCSP_RESP_CERT_NAME VAL_OCSP_RESP_CERT.name 106 #define VAL_OCSP_RESP_CERT_SERIAL VAL_OCSP_RESP_CERT.serial 107 108 /* 109 * Short cut for crl_info and etc. 110 */ 111 #define VAL_CRL validation_info.crl_info 112 #define VAL_CRL_BASEFILENAME validation_info.crl_info.basefilename 113 #define VAL_CRL_DIRECTORY validation_info.crl_info.directory 114 #define VAL_CRL_GET_URI validation_info.crl_info.get_crl_uri 115 #define VAL_CRL_PROXY validation_info.crl_info.proxy 116 #define VAL_CRL_IGNORE_SIGN validation_info.crl_info.ignore_crl_sign 117 #define VAL_CRL_IGNORE_DATE validation_info.crl_info.ignore_crl_date 118 119 /* 120 * Policy related constant definitions. 121 */ 122 #define KMF_POLICY_DTD "/usr/share/lib/xml/dtd/kmfpolicy.dtd" 123 #define KMF_DEFAULT_POLICY_FILE "/etc/security/kmfpolicy.xml" 124 125 #define KMF_DEFAULT_POLICY_NAME "default" 126 127 #define KMF_POLICY_ROOT "kmf-policy-db" 128 129 #define KULOWBIT 7 130 #define KUHIGHBIT 15 131 132 #define KMF_POLICY_ELEMENT "kmf-policy" 133 #define KMF_POLICY_NAME_ATTR "name" 134 #define KMF_OPTIONS_IGNORE_DATE_ATTR "ignore-date" 135 #define KMF_OPTIONS_IGNORE_UNKNOWN_EKUS "ignore-unknown-eku" 136 #define KMF_OPTIONS_IGNORE_TRUST_ANCHOR "ignore-trust-anchor" 137 #define KMF_OPTIONS_VALIDITY_ADJUSTTIME "validity-adjusttime" 138 #define KMF_POLICY_TA_NAME_ATTR "ta-name" 139 #define KMF_POLICY_TA_SERIAL_ATTR "ta-serial" 140 141 #define KMF_VALIDATION_METHODS_ELEMENT "validation-methods" 142 143 #define KMF_OCSP_ELEMENT "ocsp" 144 #define KMF_OCSP_BASIC_ELEMENT "ocsp-basic" 145 #define KMF_OCSP_RESPONDER_ATTR "responder" 146 #define KMF_OCSP_PROXY_ATTR "proxy" 147 #define KMF_OCSP_URI_ATTR "uri-from-cert" 148 #define KMF_OCSP_RESPONSE_LIFETIME_ATTR "response-lifetime" 149 #define KMF_OCSP_IGNORE_SIGN_ATTR "ignore-response-sign" 150 #define KMF_OCSP_RESPONDER_CERT_ELEMENT "responder-cert" 151 152 #define KMF_CERT_NAME_ATTR "name" 153 #define KMF_CERT_SERIAL_ATTR "serial" 154 155 #define KMF_CRL_ELEMENT "crl" 156 #define KMF_CRL_BASENAME_ATTR "basefilename" 157 #define KMF_CRL_DIRECTORY_ATTR "directory" 158 #define KMF_CRL_GET_URI_ATTR "get-crl-uri" 159 #define KMF_CRL_PROXY_ATTR "proxy" 160 #define KMF_CRL_IGNORE_SIGN_ATTR "ignore-crl-sign" 161 #define KMF_CRL_IGNORE_DATE_ATTR "ignore-crl-date" 162 163 #define KMF_KEY_USAGE_SET_ELEMENT "key-usage-set" 164 #define KMF_KEY_USAGE_ELEMENT "key-usage" 165 #define KMF_KEY_USAGE_USE_ATTR "use" 166 167 #define KMF_EKU_ELEMENT "ext-key-usage" 168 #define KMF_EKU_NAME_ELEMENT "eku-name" 169 #define KMF_EKU_NAME_ATTR "name" 170 #define KMF_EKU_OID_ELEMENT "eku-oid" 171 #define KMF_EKU_OID_ATTR "oid" 172 173 #define KMF_CERT_MAPPER_ELEMENT "cert-to-name-mapping" 174 #define KMF_CERT_MAPPER_NAME_ATTR "mapper-name" 175 #define KMF_CERT_MAPPER_DIR_ATTR "mapper-directory" 176 #define KMF_CERT_MAPPER_PATH_ATTR "mapper-pathname" 177 #define KMF_CERT_MAPPER_OPTIONS_ATTR "mapper-options" 178 179 #define TMPFILE_TEMPLATE "policyXXXXXX" 180 181 extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *); 182 183 extern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *); 184 extern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t); 185 extern KMF_RETURN kmf_delete_policy_from_db(char *, char *); 186 extern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *); 187 188 extern void kmf_free_policy_record(KMF_POLICY_RECORD *); 189 extern void kmf_free_eku_policy(KMF_EKU_POLICY *); 190 191 #ifdef __cplusplus 192 } 193 #endif 194 #endif /* _KMFPOLICY_H */ 195