1*3089Swyllys /* 2*3089Swyllys * CDDL HEADER START 3*3089Swyllys * 4*3089Swyllys * The contents of this file are subject to the terms of the 5*3089Swyllys * Common Development and Distribution License (the "License"). 6*3089Swyllys * You may not use this file except in compliance with the License. 7*3089Swyllys * 8*3089Swyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*3089Swyllys * or http://www.opensolaris.org/os/licensing. 10*3089Swyllys * See the License for the specific language governing permissions 11*3089Swyllys * and limitations under the License. 12*3089Swyllys * 13*3089Swyllys * When distributing Covered Code, include this CDDL HEADER in each 14*3089Swyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*3089Swyllys * If applicable, add the following below this CDDL HEADER, with the 16*3089Swyllys * fields enclosed by brackets "[]" replaced with your own identifying 17*3089Swyllys * information: Portions Copyright [yyyy] [name of copyright owner] 18*3089Swyllys * 19*3089Swyllys * CDDL HEADER END 20*3089Swyllys * 21*3089Swyllys * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 22*3089Swyllys * Use is subject to license terms. 23*3089Swyllys */ 24*3089Swyllys #ifndef _KMFPOLICY_H 25*3089Swyllys #define _KMFPOLICY_H 26*3089Swyllys 27*3089Swyllys #pragma ident "%Z%%M% %I% %E% SMI" 28*3089Swyllys 29*3089Swyllys #include <kmfapi.h> 30*3089Swyllys #include <libxml/tree.h> 31*3089Swyllys #include <libxml/parser.h> 32*3089Swyllys 33*3089Swyllys #ifdef __cplusplus 34*3089Swyllys extern "C" { 35*3089Swyllys #endif 36*3089Swyllys 37*3089Swyllys typedef struct { 38*3089Swyllys char *name; 39*3089Swyllys char *serial; 40*3089Swyllys }KMF_RESP_CERT_POLICY; 41*3089Swyllys 42*3089Swyllys typedef struct { 43*3089Swyllys char *responderURI; 44*3089Swyllys char *proxy; 45*3089Swyllys boolean_t uri_from_cert; 46*3089Swyllys char *response_lifetime; 47*3089Swyllys boolean_t ignore_response_sign; 48*3089Swyllys }KMF_OCSP_BASIC_POLICY; 49*3089Swyllys 50*3089Swyllys typedef struct { 51*3089Swyllys KMF_OCSP_BASIC_POLICY basic; 52*3089Swyllys KMF_RESP_CERT_POLICY resp_cert; 53*3089Swyllys boolean_t has_resp_cert; 54*3089Swyllys }KMF_OCSP_POLICY; 55*3089Swyllys 56*3089Swyllys typedef struct { 57*3089Swyllys char *basefilename; 58*3089Swyllys char *directory; 59*3089Swyllys char *proxy; 60*3089Swyllys boolean_t get_crl_uri; 61*3089Swyllys boolean_t ignore_crl_sign; 62*3089Swyllys boolean_t ignore_crl_date; 63*3089Swyllys }KMF_CRL_POLICY; 64*3089Swyllys 65*3089Swyllys typedef struct { 66*3089Swyllys KMF_OCSP_POLICY ocsp_info; 67*3089Swyllys KMF_CRL_POLICY crl_info; 68*3089Swyllys }KMF_VALIDATION_POLICY; 69*3089Swyllys 70*3089Swyllys typedef struct { 71*3089Swyllys int eku_count; 72*3089Swyllys KMF_OID *ekulist; 73*3089Swyllys }KMF_EKU_POLICY; 74*3089Swyllys 75*3089Swyllys 76*3089Swyllys #define KMF_REVOCATION_METHOD_CRL 0x1 77*3089Swyllys #define KMF_REVOCATION_METHOD_OCSP 0x2 78*3089Swyllys 79*3089Swyllys 80*3089Swyllys typedef struct { 81*3089Swyllys char *name; 82*3089Swyllys KMF_VALIDATION_POLICY validation_info; 83*3089Swyllys KMF_EKU_POLICY eku_set; 84*3089Swyllys uint32_t ku_bits; 85*3089Swyllys boolean_t ignore_date; 86*3089Swyllys boolean_t ignore_unknown_ekus; 87*3089Swyllys boolean_t ignore_trust_anchor; 88*3089Swyllys char *validity_adjusttime; 89*3089Swyllys char *ta_name; 90*3089Swyllys char *ta_serial; 91*3089Swyllys uint32_t revocation; 92*3089Swyllys } KMF_POLICY_RECORD; 93*3089Swyllys 94*3089Swyllys 95*3089Swyllys /* 96*3089Swyllys * Short cut for ocsp_info and etc. 97*3089Swyllys */ 98*3089Swyllys #define VAL_OCSP validation_info.ocsp_info 99*3089Swyllys 100*3089Swyllys #define VAL_OCSP_BASIC VAL_OCSP.basic 101*3089Swyllys #define VAL_OCSP_RESPONDER_URI VAL_OCSP_BASIC.responderURI 102*3089Swyllys #define VAL_OCSP_PROXY VAL_OCSP_BASIC.proxy 103*3089Swyllys #define VAL_OCSP_URI_FROM_CERT VAL_OCSP_BASIC.uri_from_cert 104*3089Swyllys #define VAL_OCSP_RESP_LIFETIME VAL_OCSP_BASIC.response_lifetime 105*3089Swyllys #define VAL_OCSP_IGNORE_RESP_SIGN VAL_OCSP_BASIC.ignore_response_sign 106*3089Swyllys 107*3089Swyllys #define VAL_OCSP_RESP_CERT VAL_OCSP.resp_cert 108*3089Swyllys #define VAL_OCSP_RESP_CERT_NAME VAL_OCSP_RESP_CERT.name 109*3089Swyllys #define VAL_OCSP_RESP_CERT_SERIAL VAL_OCSP_RESP_CERT.serial 110*3089Swyllys 111*3089Swyllys /* 112*3089Swyllys * Short cut for crl_info and etc. 113*3089Swyllys */ 114*3089Swyllys #define VAL_CRL validation_info.crl_info 115*3089Swyllys #define VAL_CRL_BASEFILENAME validation_info.crl_info.basefilename 116*3089Swyllys #define VAL_CRL_DIRECTORY validation_info.crl_info.directory 117*3089Swyllys #define VAL_CRL_GET_URI validation_info.crl_info.get_crl_uri 118*3089Swyllys #define VAL_CRL_PROXY validation_info.crl_info.proxy 119*3089Swyllys #define VAL_CRL_IGNORE_SIGN validation_info.crl_info.ignore_crl_sign 120*3089Swyllys #define VAL_CRL_IGNORE_DATE validation_info.crl_info.ignore_crl_date 121*3089Swyllys 122*3089Swyllys /* 123*3089Swyllys * Policy related constant definitions. 124*3089Swyllys */ 125*3089Swyllys #define KMF_POLICY_DTD "/usr/share/lib/xml/dtd/kmfpolicy.dtd" 126*3089Swyllys #define KMF_DEFAULT_POLICY_FILE "/etc/security/kmfpolicy.xml" 127*3089Swyllys 128*3089Swyllys #define KMF_DEFAULT_POLICY_NAME "default" 129*3089Swyllys 130*3089Swyllys #define KMF_POLICY_ROOT "kmf-policy-db" 131*3089Swyllys 132*3089Swyllys #define KULOWBIT 7 133*3089Swyllys #define KUHIGHBIT 15 134*3089Swyllys 135*3089Swyllys #define KMF_POLICY_ELEMENT "kmf-policy" 136*3089Swyllys #define KMF_POLICY_NAME_ATTR "name" 137*3089Swyllys #define KMF_OPTIONS_IGNORE_DATE_ATTR "ignore-date" 138*3089Swyllys #define KMF_OPTIONS_IGNORE_UNKNOWN_EKUS "ignore-unknown-eku" 139*3089Swyllys #define KMF_OPTIONS_IGNORE_TRUST_ANCHOR "ignore-trust-anchor" 140*3089Swyllys #define KMF_OPTIONS_VALIDITY_ADJUSTTIME "validity-adjusttime" 141*3089Swyllys #define KMF_POLICY_TA_NAME_ATTR "ta-name" 142*3089Swyllys #define KMF_POLICY_TA_SERIAL_ATTR "ta-serial" 143*3089Swyllys 144*3089Swyllys #define KMF_VALIDATION_METHODS_ELEMENT "validation-methods" 145*3089Swyllys 146*3089Swyllys #define KMF_OCSP_ELEMENT "ocsp" 147*3089Swyllys #define KMF_OCSP_BASIC_ELEMENT "ocsp-basic" 148*3089Swyllys #define KMF_OCSP_RESPONDER_ATTR "responder" 149*3089Swyllys #define KMF_OCSP_PROXY_ATTR "proxy" 150*3089Swyllys #define KMF_OCSP_URI_ATTR "uri-from-cert" 151*3089Swyllys #define KMF_OCSP_RESPONSE_LIFETIME_ATTR "response-lifetime" 152*3089Swyllys #define KMF_OCSP_IGNORE_SIGN_ATTR "ignore-response-sign" 153*3089Swyllys #define KMF_OCSP_RESPONDER_CERT_ELEMENT "responder-cert" 154*3089Swyllys 155*3089Swyllys #define KMF_CERT_NAME_ATTR "name" 156*3089Swyllys #define KMF_CERT_SERIAL_ATTR "serial" 157*3089Swyllys 158*3089Swyllys #define KMF_CRL_ELEMENT "crl" 159*3089Swyllys #define KMF_CRL_BASENAME_ATTR "basefilename" 160*3089Swyllys #define KMF_CRL_DIRECTORY_ATTR "directory" 161*3089Swyllys #define KMF_CRL_GET_URI_ATTR "get-crl-uri" 162*3089Swyllys #define KMF_CRL_PROXY_ATTR "proxy" 163*3089Swyllys #define KMF_CRL_IGNORE_SIGN_ATTR "ignore-crl-sign" 164*3089Swyllys #define KMF_CRL_IGNORE_DATE_ATTR "ignore-crl-date" 165*3089Swyllys 166*3089Swyllys #define KMF_KEY_USAGE_SET_ELEMENT "key-usage-set" 167*3089Swyllys #define KMF_KEY_USAGE_ELEMENT "key-usage" 168*3089Swyllys #define KMF_KEY_USAGE_USE_ATTR "use" 169*3089Swyllys 170*3089Swyllys #define KMF_EKU_ELEMENT "ext-key-usage" 171*3089Swyllys #define KMF_EKU_NAME_ELEMENT "eku-name" 172*3089Swyllys #define KMF_EKU_NAME_ATTR "name" 173*3089Swyllys #define KMF_EKU_OID_ELEMENT "eku-oid" 174*3089Swyllys #define KMF_EKU_OID_ATTR "oid" 175*3089Swyllys 176*3089Swyllys #define TMPFILE_TEMPLATE "policyXXXXXX" 177*3089Swyllys 178*3089Swyllys extern char *ku2str(uint32_t); 179*3089Swyllys extern uint32_t str2ku(char *); 180*3089Swyllys extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *); 181*3089Swyllys 182*3089Swyllys extern char *KMF_OID2EKUString(KMF_OID *); 183*3089Swyllys extern KMF_OID *kmf_ekuname2oid(char *); 184*3089Swyllys extern KMF_OID *kmf_string2oid(char *); 185*3089Swyllys 186*3089Swyllys extern KMF_RETURN KMF_GetPolicy(char *, char *, KMF_POLICY_RECORD *); 187*3089Swyllys extern KMF_RETURN KMF_AddPolicyToDB(KMF_POLICY_RECORD *, char *, boolean_t); 188*3089Swyllys extern KMF_RETURN KMF_DeletePolicyFromDB(char *, char *); 189*3089Swyllys extern KMF_RETURN KMF_VerifyPolicy(KMF_POLICY_RECORD *); 190*3089Swyllys 191*3089Swyllys extern void KMF_FreePolicyRecord(KMF_POLICY_RECORD *); 192*3089Swyllys extern void KMF_FreeEKUPolicy(KMF_EKU_POLICY *); 193*3089Swyllys 194*3089Swyllys #ifdef __cplusplus 195*3089Swyllys } 196*3089Swyllys #endif 197*3089Swyllys #endif /* _KMFPOLICY_H */ 198