1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 22 * Use is subject to license terms. 23 */ 24 #ifndef _KMFPOLICY_H 25 #define _KMFPOLICY_H 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <kmfapi.h> 30 #include <libxml/tree.h> 31 #include <libxml/parser.h> 32 33 #ifdef __cplusplus 34 extern "C" { 35 #endif 36 37 typedef struct { 38 char *name; 39 char *serial; 40 }KMF_RESP_CERT_POLICY; 41 42 typedef struct { 43 char *responderURI; 44 char *proxy; 45 boolean_t uri_from_cert; 46 char *response_lifetime; 47 boolean_t ignore_response_sign; 48 }KMF_OCSP_BASIC_POLICY; 49 50 typedef struct { 51 KMF_OCSP_BASIC_POLICY basic; 52 KMF_RESP_CERT_POLICY resp_cert; 53 boolean_t has_resp_cert; 54 }KMF_OCSP_POLICY; 55 56 typedef struct { 57 char *basefilename; 58 char *directory; 59 char *proxy; 60 boolean_t get_crl_uri; 61 boolean_t ignore_crl_sign; 62 boolean_t ignore_crl_date; 63 }KMF_CRL_POLICY; 64 65 typedef struct { 66 KMF_OCSP_POLICY ocsp_info; 67 KMF_CRL_POLICY crl_info; 68 }KMF_VALIDATION_POLICY; 69 70 typedef struct { 71 int eku_count; 72 KMF_OID *ekulist; 73 }KMF_EKU_POLICY; 74 75 76 #define KMF_REVOCATION_METHOD_CRL 0x1 77 #define KMF_REVOCATION_METHOD_OCSP 0x2 78 79 80 typedef struct { 81 char *name; 82 KMF_VALIDATION_POLICY validation_info; 83 KMF_EKU_POLICY eku_set; 84 uint32_t ku_bits; 85 boolean_t ignore_date; 86 boolean_t ignore_unknown_ekus; 87 boolean_t ignore_trust_anchor; 88 char *validity_adjusttime; 89 char *ta_name; 90 char *ta_serial; 91 uint32_t revocation; 92 } KMF_POLICY_RECORD; 93 94 95 /* 96 * Short cut for ocsp_info and etc. 97 */ 98 #define VAL_OCSP validation_info.ocsp_info 99 100 #define VAL_OCSP_BASIC VAL_OCSP.basic 101 #define VAL_OCSP_RESPONDER_URI VAL_OCSP_BASIC.responderURI 102 #define VAL_OCSP_PROXY VAL_OCSP_BASIC.proxy 103 #define VAL_OCSP_URI_FROM_CERT VAL_OCSP_BASIC.uri_from_cert 104 #define VAL_OCSP_RESP_LIFETIME VAL_OCSP_BASIC.response_lifetime 105 #define VAL_OCSP_IGNORE_RESP_SIGN VAL_OCSP_BASIC.ignore_response_sign 106 107 #define VAL_OCSP_RESP_CERT VAL_OCSP.resp_cert 108 #define VAL_OCSP_RESP_CERT_NAME VAL_OCSP_RESP_CERT.name 109 #define VAL_OCSP_RESP_CERT_SERIAL VAL_OCSP_RESP_CERT.serial 110 111 /* 112 * Short cut for crl_info and etc. 113 */ 114 #define VAL_CRL validation_info.crl_info 115 #define VAL_CRL_BASEFILENAME validation_info.crl_info.basefilename 116 #define VAL_CRL_DIRECTORY validation_info.crl_info.directory 117 #define VAL_CRL_GET_URI validation_info.crl_info.get_crl_uri 118 #define VAL_CRL_PROXY validation_info.crl_info.proxy 119 #define VAL_CRL_IGNORE_SIGN validation_info.crl_info.ignore_crl_sign 120 #define VAL_CRL_IGNORE_DATE validation_info.crl_info.ignore_crl_date 121 122 /* 123 * Policy related constant definitions. 124 */ 125 #define KMF_POLICY_DTD "/usr/share/lib/xml/dtd/kmfpolicy.dtd" 126 #define KMF_DEFAULT_POLICY_FILE "/etc/security/kmfpolicy.xml" 127 128 #define KMF_DEFAULT_POLICY_NAME "default" 129 130 #define KMF_POLICY_ROOT "kmf-policy-db" 131 132 #define KULOWBIT 7 133 #define KUHIGHBIT 15 134 135 #define KMF_POLICY_ELEMENT "kmf-policy" 136 #define KMF_POLICY_NAME_ATTR "name" 137 #define KMF_OPTIONS_IGNORE_DATE_ATTR "ignore-date" 138 #define KMF_OPTIONS_IGNORE_UNKNOWN_EKUS "ignore-unknown-eku" 139 #define KMF_OPTIONS_IGNORE_TRUST_ANCHOR "ignore-trust-anchor" 140 #define KMF_OPTIONS_VALIDITY_ADJUSTTIME "validity-adjusttime" 141 #define KMF_POLICY_TA_NAME_ATTR "ta-name" 142 #define KMF_POLICY_TA_SERIAL_ATTR "ta-serial" 143 144 #define KMF_VALIDATION_METHODS_ELEMENT "validation-methods" 145 146 #define KMF_OCSP_ELEMENT "ocsp" 147 #define KMF_OCSP_BASIC_ELEMENT "ocsp-basic" 148 #define KMF_OCSP_RESPONDER_ATTR "responder" 149 #define KMF_OCSP_PROXY_ATTR "proxy" 150 #define KMF_OCSP_URI_ATTR "uri-from-cert" 151 #define KMF_OCSP_RESPONSE_LIFETIME_ATTR "response-lifetime" 152 #define KMF_OCSP_IGNORE_SIGN_ATTR "ignore-response-sign" 153 #define KMF_OCSP_RESPONDER_CERT_ELEMENT "responder-cert" 154 155 #define KMF_CERT_NAME_ATTR "name" 156 #define KMF_CERT_SERIAL_ATTR "serial" 157 158 #define KMF_CRL_ELEMENT "crl" 159 #define KMF_CRL_BASENAME_ATTR "basefilename" 160 #define KMF_CRL_DIRECTORY_ATTR "directory" 161 #define KMF_CRL_GET_URI_ATTR "get-crl-uri" 162 #define KMF_CRL_PROXY_ATTR "proxy" 163 #define KMF_CRL_IGNORE_SIGN_ATTR "ignore-crl-sign" 164 #define KMF_CRL_IGNORE_DATE_ATTR "ignore-crl-date" 165 166 #define KMF_KEY_USAGE_SET_ELEMENT "key-usage-set" 167 #define KMF_KEY_USAGE_ELEMENT "key-usage" 168 #define KMF_KEY_USAGE_USE_ATTR "use" 169 170 #define KMF_EKU_ELEMENT "ext-key-usage" 171 #define KMF_EKU_NAME_ELEMENT "eku-name" 172 #define KMF_EKU_NAME_ATTR "name" 173 #define KMF_EKU_OID_ELEMENT "eku-oid" 174 #define KMF_EKU_OID_ATTR "oid" 175 176 #define TMPFILE_TEMPLATE "policyXXXXXX" 177 178 extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *); 179 180 extern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *); 181 extern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t); 182 extern KMF_RETURN kmf_delete_policy_from_db(char *, char *); 183 extern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *); 184 185 extern void kmf_free_policy_record(KMF_POLICY_RECORD *); 186 extern void kmf_free_eku_policy(KMF_EKU_POLICY *); 187 188 #ifdef __cplusplus 189 } 190 #endif 191 #endif /* _KMFPOLICY_H */ 192