xref: /onnv-gate/usr/src/lib/libkmf/include/kmfpolicy.h (revision 12611:d9f75b73c5fd) 
13089Swyllys /*
23089Swyllys  * CDDL HEADER START
33089Swyllys  *
43089Swyllys  * The contents of this file are subject to the terms of the
53089Swyllys  * Common Development and Distribution License (the "License").
63089Swyllys  * You may not use this file except in compliance with the License.
73089Swyllys  *
83089Swyllys  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
93089Swyllys  * or http://www.opensolaris.org/os/licensing.
103089Swyllys  * See the License for the specific language governing permissions
113089Swyllys  * and limitations under the License.
123089Swyllys  *
133089Swyllys  * When distributing Covered Code, include this CDDL HEADER in each
143089Swyllys  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
153089Swyllys  * If applicable, add the following below this CDDL HEADER, with the
163089Swyllys  * fields enclosed by brackets "[]" replaced with your own identifying
173089Swyllys  * information: Portions Copyright [yyyy] [name of copyright owner]
183089Swyllys  *
193089Swyllys  * CDDL HEADER END
203089Swyllys  *
21*12611SJan.Pechanec@Sun.COM  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
223089Swyllys  */
233089Swyllys #ifndef _KMFPOLICY_H
243089Swyllys #define	_KMFPOLICY_H
253089Swyllys 
263089Swyllys #include <kmfapi.h>
27*12611SJan.Pechanec@Sun.COM #include <kmfmapper.h>
283089Swyllys #include <libxml/tree.h>
293089Swyllys #include <libxml/parser.h>
303089Swyllys 
313089Swyllys #ifdef __cplusplus
323089Swyllys extern "C" {
333089Swyllys #endif
343089Swyllys 
353089Swyllys typedef struct {
363089Swyllys 	char		*name;
373089Swyllys 	char		*serial;
383089Swyllys }KMF_RESP_CERT_POLICY;
393089Swyllys 
403089Swyllys typedef struct {
413089Swyllys 	char		*responderURI;
423089Swyllys 	char		*proxy;
433089Swyllys 	boolean_t 	uri_from_cert;
443089Swyllys 	char		*response_lifetime;
453089Swyllys 	boolean_t	ignore_response_sign;
463089Swyllys }KMF_OCSP_BASIC_POLICY;
473089Swyllys 
483089Swyllys typedef struct {
493089Swyllys 	KMF_OCSP_BASIC_POLICY	basic;
503089Swyllys 	KMF_RESP_CERT_POLICY	resp_cert;
513089Swyllys 	boolean_t		has_resp_cert;
523089Swyllys }KMF_OCSP_POLICY;
533089Swyllys 
543089Swyllys typedef struct {
553089Swyllys 	char *basefilename;
563089Swyllys 	char *directory;
573089Swyllys 	char *proxy;
583089Swyllys 	boolean_t get_crl_uri;
593089Swyllys 	boolean_t ignore_crl_sign;
603089Swyllys 	boolean_t ignore_crl_date;
613089Swyllys }KMF_CRL_POLICY;
623089Swyllys 
633089Swyllys typedef struct {
643089Swyllys 	KMF_OCSP_POLICY	ocsp_info;
653089Swyllys 	KMF_CRL_POLICY	crl_info;
663089Swyllys }KMF_VALIDATION_POLICY;
673089Swyllys 
683089Swyllys typedef struct {
693089Swyllys 	int		eku_count;
703089Swyllys 	KMF_OID		*ekulist;
713089Swyllys }KMF_EKU_POLICY;
723089Swyllys 
733089Swyllys #define	KMF_REVOCATION_METHOD_CRL		0x1
743089Swyllys #define	KMF_REVOCATION_METHOD_OCSP		0x2
753089Swyllys 
763089Swyllys typedef struct {
773089Swyllys 	char			*name;
783089Swyllys 	KMF_VALIDATION_POLICY	validation_info;
793089Swyllys 	KMF_EKU_POLICY		eku_set;
80*12611SJan.Pechanec@Sun.COM 	KMF_MAPPER_RECORD	mapper; /* kmfmapper.h */
813089Swyllys 	uint32_t		ku_bits;
823089Swyllys 	boolean_t		ignore_date;
833089Swyllys 	boolean_t		ignore_unknown_ekus;
843089Swyllys 	boolean_t		ignore_trust_anchor;
853089Swyllys 	char			*validity_adjusttime;
863089Swyllys 	char			*ta_name;
873089Swyllys 	char			*ta_serial;
883089Swyllys 	uint32_t		revocation;
893089Swyllys } KMF_POLICY_RECORD;
903089Swyllys 
913089Swyllys 
923089Swyllys /*
933089Swyllys  * Short cut for ocsp_info and etc.
943089Swyllys  */
953089Swyllys #define	VAL_OCSP			validation_info.ocsp_info
963089Swyllys 
973089Swyllys #define	VAL_OCSP_BASIC			VAL_OCSP.basic
983089Swyllys #define	VAL_OCSP_RESPONDER_URI		VAL_OCSP_BASIC.responderURI
993089Swyllys #define	VAL_OCSP_PROXY			VAL_OCSP_BASIC.proxy
1003089Swyllys #define	VAL_OCSP_URI_FROM_CERT		VAL_OCSP_BASIC.uri_from_cert
1013089Swyllys #define	VAL_OCSP_RESP_LIFETIME		VAL_OCSP_BASIC.response_lifetime
1023089Swyllys #define	VAL_OCSP_IGNORE_RESP_SIGN	VAL_OCSP_BASIC.ignore_response_sign
1033089Swyllys 
1043089Swyllys #define	VAL_OCSP_RESP_CERT		VAL_OCSP.resp_cert
1053089Swyllys #define	VAL_OCSP_RESP_CERT_NAME		VAL_OCSP_RESP_CERT.name
1063089Swyllys #define	VAL_OCSP_RESP_CERT_SERIAL	VAL_OCSP_RESP_CERT.serial
1073089Swyllys 
1083089Swyllys /*
1093089Swyllys  * Short cut for crl_info and etc.
1103089Swyllys  */
1113089Swyllys #define	VAL_CRL			validation_info.crl_info
1123089Swyllys #define	VAL_CRL_BASEFILENAME	validation_info.crl_info.basefilename
1133089Swyllys #define	VAL_CRL_DIRECTORY	validation_info.crl_info.directory
1143089Swyllys #define	VAL_CRL_GET_URI		validation_info.crl_info.get_crl_uri
1153089Swyllys #define	VAL_CRL_PROXY		validation_info.crl_info.proxy
1163089Swyllys #define	VAL_CRL_IGNORE_SIGN	validation_info.crl_info.ignore_crl_sign
1173089Swyllys #define	VAL_CRL_IGNORE_DATE	validation_info.crl_info.ignore_crl_date
1183089Swyllys 
1193089Swyllys /*
1203089Swyllys  * Policy related constant definitions.
1213089Swyllys  */
1223089Swyllys #define	KMF_POLICY_DTD		"/usr/share/lib/xml/dtd/kmfpolicy.dtd"
1233089Swyllys #define	KMF_DEFAULT_POLICY_FILE	"/etc/security/kmfpolicy.xml"
1243089Swyllys 
1253089Swyllys #define	KMF_DEFAULT_POLICY_NAME	"default"
1263089Swyllys 
1273089Swyllys #define	KMF_POLICY_ROOT	"kmf-policy-db"
1283089Swyllys 
1293089Swyllys #define	KULOWBIT	7
1303089Swyllys #define	KUHIGHBIT	15
1313089Swyllys 
1323089Swyllys #define	KMF_POLICY_ELEMENT		"kmf-policy"
1333089Swyllys #define	KMF_POLICY_NAME_ATTR		"name"
1343089Swyllys #define	KMF_OPTIONS_IGNORE_DATE_ATTR	"ignore-date"
1353089Swyllys #define	KMF_OPTIONS_IGNORE_UNKNOWN_EKUS	"ignore-unknown-eku"
1363089Swyllys #define	KMF_OPTIONS_IGNORE_TRUST_ANCHOR	"ignore-trust-anchor"
1373089Swyllys #define	KMF_OPTIONS_VALIDITY_ADJUSTTIME	"validity-adjusttime"
1383089Swyllys #define	KMF_POLICY_TA_NAME_ATTR		"ta-name"
1393089Swyllys #define	KMF_POLICY_TA_SERIAL_ATTR	"ta-serial"
1403089Swyllys 
1413089Swyllys #define	KMF_VALIDATION_METHODS_ELEMENT	"validation-methods"
1423089Swyllys 
1433089Swyllys #define	KMF_OCSP_ELEMENT		"ocsp"
1443089Swyllys #define	KMF_OCSP_BASIC_ELEMENT		"ocsp-basic"
1453089Swyllys #define	KMF_OCSP_RESPONDER_ATTR		"responder"
1463089Swyllys #define	KMF_OCSP_PROXY_ATTR		"proxy"
1473089Swyllys #define	KMF_OCSP_URI_ATTR		"uri-from-cert"
1483089Swyllys #define	KMF_OCSP_RESPONSE_LIFETIME_ATTR	"response-lifetime"
1493089Swyllys #define	KMF_OCSP_IGNORE_SIGN_ATTR	"ignore-response-sign"
1503089Swyllys #define	KMF_OCSP_RESPONDER_CERT_ELEMENT	"responder-cert"
1513089Swyllys 
1523089Swyllys #define	KMF_CERT_NAME_ATTR		"name"
1533089Swyllys #define	KMF_CERT_SERIAL_ATTR		"serial"
1543089Swyllys 
1553089Swyllys #define	KMF_CRL_ELEMENT			"crl"
1563089Swyllys #define	KMF_CRL_BASENAME_ATTR		"basefilename"
1573089Swyllys #define	KMF_CRL_DIRECTORY_ATTR		"directory"
1583089Swyllys #define	KMF_CRL_GET_URI_ATTR		"get-crl-uri"
1593089Swyllys #define	KMF_CRL_PROXY_ATTR		"proxy"
1603089Swyllys #define	KMF_CRL_IGNORE_SIGN_ATTR	"ignore-crl-sign"
1613089Swyllys #define	KMF_CRL_IGNORE_DATE_ATTR	"ignore-crl-date"
1623089Swyllys 
1633089Swyllys #define	KMF_KEY_USAGE_SET_ELEMENT	"key-usage-set"
1643089Swyllys #define	KMF_KEY_USAGE_ELEMENT		"key-usage"
1653089Swyllys #define	KMF_KEY_USAGE_USE_ATTR		"use"
1663089Swyllys 
1673089Swyllys #define	KMF_EKU_ELEMENT		"ext-key-usage"
1683089Swyllys #define	KMF_EKU_NAME_ELEMENT	"eku-name"
1693089Swyllys #define	KMF_EKU_NAME_ATTR	"name"
1703089Swyllys #define	KMF_EKU_OID_ELEMENT	"eku-oid"
1713089Swyllys #define	KMF_EKU_OID_ATTR	"oid"
1723089Swyllys 
173*12611SJan.Pechanec@Sun.COM #define	KMF_CERT_MAPPER_ELEMENT		"cert-to-name-mapping"
174*12611SJan.Pechanec@Sun.COM #define	KMF_CERT_MAPPER_NAME_ATTR	"mapper-name"
175*12611SJan.Pechanec@Sun.COM #define	KMF_CERT_MAPPER_DIR_ATTR	"mapper-directory"
176*12611SJan.Pechanec@Sun.COM #define	KMF_CERT_MAPPER_PATH_ATTR	"mapper-pathname"
177*12611SJan.Pechanec@Sun.COM #define	KMF_CERT_MAPPER_OPTIONS_ATTR	"mapper-options"
178*12611SJan.Pechanec@Sun.COM 
1793089Swyllys #define	TMPFILE_TEMPLATE	"policyXXXXXX"
1803089Swyllys 
1813089Swyllys extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *);
1823089Swyllys 
1835051Swyllys extern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *);
1845051Swyllys extern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t);
1855051Swyllys extern KMF_RETURN kmf_delete_policy_from_db(char *, char *);
1865051Swyllys extern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *);
1873089Swyllys 
1885051Swyllys extern void kmf_free_policy_record(KMF_POLICY_RECORD *);
1895051Swyllys extern void kmf_free_eku_policy(KMF_EKU_POLICY *);
1903089Swyllys 
1913089Swyllys #ifdef __cplusplus
1923089Swyllys }
1933089Swyllys #endif
1943089Swyllys #endif /* _KMFPOLICY_H */
195