kmfpolicy.h revision 12611:d9f75b73c5fd
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. 22 */ 23#ifndef _KMFPOLICY_H 24#define _KMFPOLICY_H 25 26#include <kmfapi.h> 27#include <kmfmapper.h> 28#include <libxml/tree.h> 29#include <libxml/parser.h> 30 31#ifdef __cplusplus 32extern "C" { 33#endif 34 35typedef struct { 36 char *name; 37 char *serial; 38}KMF_RESP_CERT_POLICY; 39 40typedef struct { 41 char *responderURI; 42 char *proxy; 43 boolean_t uri_from_cert; 44 char *response_lifetime; 45 boolean_t ignore_response_sign; 46}KMF_OCSP_BASIC_POLICY; 47 48typedef struct { 49 KMF_OCSP_BASIC_POLICY basic; 50 KMF_RESP_CERT_POLICY resp_cert; 51 boolean_t has_resp_cert; 52}KMF_OCSP_POLICY; 53 54typedef struct { 55 char *basefilename; 56 char *directory; 57 char *proxy; 58 boolean_t get_crl_uri; 59 boolean_t ignore_crl_sign; 60 boolean_t ignore_crl_date; 61}KMF_CRL_POLICY; 62 63typedef struct { 64 KMF_OCSP_POLICY ocsp_info; 65 KMF_CRL_POLICY crl_info; 66}KMF_VALIDATION_POLICY; 67 68typedef struct { 69 int eku_count; 70 KMF_OID *ekulist; 71}KMF_EKU_POLICY; 72 73#define KMF_REVOCATION_METHOD_CRL 0x1 74#define KMF_REVOCATION_METHOD_OCSP 0x2 75 76typedef struct { 77 char *name; 78 KMF_VALIDATION_POLICY validation_info; 79 KMF_EKU_POLICY eku_set; 80 KMF_MAPPER_RECORD mapper; /* kmfmapper.h */ 81 uint32_t ku_bits; 82 boolean_t ignore_date; 83 boolean_t ignore_unknown_ekus; 84 boolean_t ignore_trust_anchor; 85 char *validity_adjusttime; 86 char *ta_name; 87 char *ta_serial; 88 uint32_t revocation; 89} KMF_POLICY_RECORD; 90 91 92/* 93 * Short cut for ocsp_info and etc. 94 */ 95#define VAL_OCSP validation_info.ocsp_info 96 97#define VAL_OCSP_BASIC VAL_OCSP.basic 98#define VAL_OCSP_RESPONDER_URI VAL_OCSP_BASIC.responderURI 99#define VAL_OCSP_PROXY VAL_OCSP_BASIC.proxy 100#define VAL_OCSP_URI_FROM_CERT VAL_OCSP_BASIC.uri_from_cert 101#define VAL_OCSP_RESP_LIFETIME VAL_OCSP_BASIC.response_lifetime 102#define VAL_OCSP_IGNORE_RESP_SIGN VAL_OCSP_BASIC.ignore_response_sign 103 104#define VAL_OCSP_RESP_CERT VAL_OCSP.resp_cert 105#define VAL_OCSP_RESP_CERT_NAME VAL_OCSP_RESP_CERT.name 106#define VAL_OCSP_RESP_CERT_SERIAL VAL_OCSP_RESP_CERT.serial 107 108/* 109 * Short cut for crl_info and etc. 110 */ 111#define VAL_CRL validation_info.crl_info 112#define VAL_CRL_BASEFILENAME validation_info.crl_info.basefilename 113#define VAL_CRL_DIRECTORY validation_info.crl_info.directory 114#define VAL_CRL_GET_URI validation_info.crl_info.get_crl_uri 115#define VAL_CRL_PROXY validation_info.crl_info.proxy 116#define VAL_CRL_IGNORE_SIGN validation_info.crl_info.ignore_crl_sign 117#define VAL_CRL_IGNORE_DATE validation_info.crl_info.ignore_crl_date 118 119/* 120 * Policy related constant definitions. 121 */ 122#define KMF_POLICY_DTD "/usr/share/lib/xml/dtd/kmfpolicy.dtd" 123#define KMF_DEFAULT_POLICY_FILE "/etc/security/kmfpolicy.xml" 124 125#define KMF_DEFAULT_POLICY_NAME "default" 126 127#define KMF_POLICY_ROOT "kmf-policy-db" 128 129#define KULOWBIT 7 130#define KUHIGHBIT 15 131 132#define KMF_POLICY_ELEMENT "kmf-policy" 133#define KMF_POLICY_NAME_ATTR "name" 134#define KMF_OPTIONS_IGNORE_DATE_ATTR "ignore-date" 135#define KMF_OPTIONS_IGNORE_UNKNOWN_EKUS "ignore-unknown-eku" 136#define KMF_OPTIONS_IGNORE_TRUST_ANCHOR "ignore-trust-anchor" 137#define KMF_OPTIONS_VALIDITY_ADJUSTTIME "validity-adjusttime" 138#define KMF_POLICY_TA_NAME_ATTR "ta-name" 139#define KMF_POLICY_TA_SERIAL_ATTR "ta-serial" 140 141#define KMF_VALIDATION_METHODS_ELEMENT "validation-methods" 142 143#define KMF_OCSP_ELEMENT "ocsp" 144#define KMF_OCSP_BASIC_ELEMENT "ocsp-basic" 145#define KMF_OCSP_RESPONDER_ATTR "responder" 146#define KMF_OCSP_PROXY_ATTR "proxy" 147#define KMF_OCSP_URI_ATTR "uri-from-cert" 148#define KMF_OCSP_RESPONSE_LIFETIME_ATTR "response-lifetime" 149#define KMF_OCSP_IGNORE_SIGN_ATTR "ignore-response-sign" 150#define KMF_OCSP_RESPONDER_CERT_ELEMENT "responder-cert" 151 152#define KMF_CERT_NAME_ATTR "name" 153#define KMF_CERT_SERIAL_ATTR "serial" 154 155#define KMF_CRL_ELEMENT "crl" 156#define KMF_CRL_BASENAME_ATTR "basefilename" 157#define KMF_CRL_DIRECTORY_ATTR "directory" 158#define KMF_CRL_GET_URI_ATTR "get-crl-uri" 159#define KMF_CRL_PROXY_ATTR "proxy" 160#define KMF_CRL_IGNORE_SIGN_ATTR "ignore-crl-sign" 161#define KMF_CRL_IGNORE_DATE_ATTR "ignore-crl-date" 162 163#define KMF_KEY_USAGE_SET_ELEMENT "key-usage-set" 164#define KMF_KEY_USAGE_ELEMENT "key-usage" 165#define KMF_KEY_USAGE_USE_ATTR "use" 166 167#define KMF_EKU_ELEMENT "ext-key-usage" 168#define KMF_EKU_NAME_ELEMENT "eku-name" 169#define KMF_EKU_NAME_ATTR "name" 170#define KMF_EKU_OID_ELEMENT "eku-oid" 171#define KMF_EKU_OID_ATTR "oid" 172 173#define KMF_CERT_MAPPER_ELEMENT "cert-to-name-mapping" 174#define KMF_CERT_MAPPER_NAME_ATTR "mapper-name" 175#define KMF_CERT_MAPPER_DIR_ATTR "mapper-directory" 176#define KMF_CERT_MAPPER_PATH_ATTR "mapper-pathname" 177#define KMF_CERT_MAPPER_OPTIONS_ATTR "mapper-options" 178 179#define TMPFILE_TEMPLATE "policyXXXXXX" 180 181extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *); 182 183extern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *); 184extern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t); 185extern KMF_RETURN kmf_delete_policy_from_db(char *, char *); 186extern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *); 187 188extern void kmf_free_policy_record(KMF_POLICY_RECORD *); 189extern void kmf_free_eku_policy(KMF_EKU_POLICY *); 190 191#ifdef __cplusplus 192} 193#endif 194#endif /* _KMFPOLICY_H */ 195