kmfpolicy.h revision 3089:8ddeb2ace8aa
1289765Scem/* 2289765Scem * CDDL HEADER START 3289765Scem * 4289765Scem * The contents of this file are subject to the terms of the 5289765Scem * Common Development and Distribution License (the "License"). 6289765Scem * You may not use this file except in compliance with the License. 7289765Scem * 8289765Scem * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9289765Scem * or http://www.opensolaris.org/os/licensing. 10289765Scem * See the License for the specific language governing permissions 11289765Scem * and limitations under the License. 12289765Scem * 13289766Scem * When distributing Covered Code, include this CDDL HEADER in each 14289765Scem * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15289765Scem * If applicable, add the following below this CDDL HEADER, with the 16289765Scem * fields enclosed by brackets "[]" replaced with your own identifying 17289765Scem * information: Portions Copyright [yyyy] [name of copyright owner] 18289765Scem * 19289765Scem * CDDL HEADER END 20289765Scem * 21289765Scem * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 22289765Scem * Use is subject to license terms. 23289765Scem */ 24289765Scem#ifndef _KMFPOLICY_H 25289765Scem#define _KMFPOLICY_H 26289765Scem 27289765Scem#pragma ident "%Z%%M% %I% %E% SMI" 28289765Scem 29289765Scem#include <kmfapi.h> 30289765Scem#include <libxml/tree.h> 31289765Scem#include <libxml/parser.h> 32289765Scem 33289765Scem#ifdef __cplusplus 34289765Scemextern "C" { 35289765Scem#endif 36289765Scem 37289765Scemtypedef struct { 38289765Scem char *name; 39289765Scem char *serial; 40289765Scem}KMF_RESP_CERT_POLICY; 41289765Scem 42289765Scemtypedef struct { 43289765Scem char *responderURI; 44289765Scem char *proxy; 45289765Scem boolean_t uri_from_cert; 46289765Scem char *response_lifetime; 47289765Scem boolean_t ignore_response_sign; 48289765Scem}KMF_OCSP_BASIC_POLICY; 49 50typedef struct { 51 KMF_OCSP_BASIC_POLICY basic; 52 KMF_RESP_CERT_POLICY resp_cert; 53 boolean_t has_resp_cert; 54}KMF_OCSP_POLICY; 55 56typedef struct { 57 char *basefilename; 58 char *directory; 59 char *proxy; 60 boolean_t get_crl_uri; 61 boolean_t ignore_crl_sign; 62 boolean_t ignore_crl_date; 63}KMF_CRL_POLICY; 64 65typedef struct { 66 KMF_OCSP_POLICY ocsp_info; 67 KMF_CRL_POLICY crl_info; 68}KMF_VALIDATION_POLICY; 69 70typedef struct { 71 int eku_count; 72 KMF_OID *ekulist; 73}KMF_EKU_POLICY; 74 75 76#define KMF_REVOCATION_METHOD_CRL 0x1 77#define KMF_REVOCATION_METHOD_OCSP 0x2 78 79 80typedef struct { 81 char *name; 82 KMF_VALIDATION_POLICY validation_info; 83 KMF_EKU_POLICY eku_set; 84 uint32_t ku_bits; 85 boolean_t ignore_date; 86 boolean_t ignore_unknown_ekus; 87 boolean_t ignore_trust_anchor; 88 char *validity_adjusttime; 89 char *ta_name; 90 char *ta_serial; 91 uint32_t revocation; 92} KMF_POLICY_RECORD; 93 94 95/* 96 * Short cut for ocsp_info and etc. 97 */ 98#define VAL_OCSP validation_info.ocsp_info 99 100#define VAL_OCSP_BASIC VAL_OCSP.basic 101#define VAL_OCSP_RESPONDER_URI VAL_OCSP_BASIC.responderURI 102#define VAL_OCSP_PROXY VAL_OCSP_BASIC.proxy 103#define VAL_OCSP_URI_FROM_CERT VAL_OCSP_BASIC.uri_from_cert 104#define VAL_OCSP_RESP_LIFETIME VAL_OCSP_BASIC.response_lifetime 105#define VAL_OCSP_IGNORE_RESP_SIGN VAL_OCSP_BASIC.ignore_response_sign 106 107#define VAL_OCSP_RESP_CERT VAL_OCSP.resp_cert 108#define VAL_OCSP_RESP_CERT_NAME VAL_OCSP_RESP_CERT.name 109#define VAL_OCSP_RESP_CERT_SERIAL VAL_OCSP_RESP_CERT.serial 110 111/* 112 * Short cut for crl_info and etc. 113 */ 114#define VAL_CRL validation_info.crl_info 115#define VAL_CRL_BASEFILENAME validation_info.crl_info.basefilename 116#define VAL_CRL_DIRECTORY validation_info.crl_info.directory 117#define VAL_CRL_GET_URI validation_info.crl_info.get_crl_uri 118#define VAL_CRL_PROXY validation_info.crl_info.proxy 119#define VAL_CRL_IGNORE_SIGN validation_info.crl_info.ignore_crl_sign 120#define VAL_CRL_IGNORE_DATE validation_info.crl_info.ignore_crl_date 121 122/* 123 * Policy related constant definitions. 124 */ 125#define KMF_POLICY_DTD "/usr/share/lib/xml/dtd/kmfpolicy.dtd" 126#define KMF_DEFAULT_POLICY_FILE "/etc/security/kmfpolicy.xml" 127 128#define KMF_DEFAULT_POLICY_NAME "default" 129 130#define KMF_POLICY_ROOT "kmf-policy-db" 131 132#define KULOWBIT 7 133#define KUHIGHBIT 15 134 135#define KMF_POLICY_ELEMENT "kmf-policy" 136#define KMF_POLICY_NAME_ATTR "name" 137#define KMF_OPTIONS_IGNORE_DATE_ATTR "ignore-date" 138#define KMF_OPTIONS_IGNORE_UNKNOWN_EKUS "ignore-unknown-eku" 139#define KMF_OPTIONS_IGNORE_TRUST_ANCHOR "ignore-trust-anchor" 140#define KMF_OPTIONS_VALIDITY_ADJUSTTIME "validity-adjusttime" 141#define KMF_POLICY_TA_NAME_ATTR "ta-name" 142#define KMF_POLICY_TA_SERIAL_ATTR "ta-serial" 143 144#define KMF_VALIDATION_METHODS_ELEMENT "validation-methods" 145 146#define KMF_OCSP_ELEMENT "ocsp" 147#define KMF_OCSP_BASIC_ELEMENT "ocsp-basic" 148#define KMF_OCSP_RESPONDER_ATTR "responder" 149#define KMF_OCSP_PROXY_ATTR "proxy" 150#define KMF_OCSP_URI_ATTR "uri-from-cert" 151#define KMF_OCSP_RESPONSE_LIFETIME_ATTR "response-lifetime" 152#define KMF_OCSP_IGNORE_SIGN_ATTR "ignore-response-sign" 153#define KMF_OCSP_RESPONDER_CERT_ELEMENT "responder-cert" 154 155#define KMF_CERT_NAME_ATTR "name" 156#define KMF_CERT_SERIAL_ATTR "serial" 157 158#define KMF_CRL_ELEMENT "crl" 159#define KMF_CRL_BASENAME_ATTR "basefilename" 160#define KMF_CRL_DIRECTORY_ATTR "directory" 161#define KMF_CRL_GET_URI_ATTR "get-crl-uri" 162#define KMF_CRL_PROXY_ATTR "proxy" 163#define KMF_CRL_IGNORE_SIGN_ATTR "ignore-crl-sign" 164#define KMF_CRL_IGNORE_DATE_ATTR "ignore-crl-date" 165 166#define KMF_KEY_USAGE_SET_ELEMENT "key-usage-set" 167#define KMF_KEY_USAGE_ELEMENT "key-usage" 168#define KMF_KEY_USAGE_USE_ATTR "use" 169 170#define KMF_EKU_ELEMENT "ext-key-usage" 171#define KMF_EKU_NAME_ELEMENT "eku-name" 172#define KMF_EKU_NAME_ATTR "name" 173#define KMF_EKU_OID_ELEMENT "eku-oid" 174#define KMF_EKU_OID_ATTR "oid" 175 176#define TMPFILE_TEMPLATE "policyXXXXXX" 177 178extern char *ku2str(uint32_t); 179extern uint32_t str2ku(char *); 180extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *); 181 182extern char *KMF_OID2EKUString(KMF_OID *); 183extern KMF_OID *kmf_ekuname2oid(char *); 184extern KMF_OID *kmf_string2oid(char *); 185 186extern KMF_RETURN KMF_GetPolicy(char *, char *, KMF_POLICY_RECORD *); 187extern KMF_RETURN KMF_AddPolicyToDB(KMF_POLICY_RECORD *, char *, boolean_t); 188extern KMF_RETURN KMF_DeletePolicyFromDB(char *, char *); 189extern KMF_RETURN KMF_VerifyPolicy(KMF_POLICY_RECORD *); 190 191extern void KMF_FreePolicyRecord(KMF_POLICY_RECORD *); 192extern void KMF_FreeEKUPolicy(KMF_EKU_POLICY *); 193 194#ifdef __cplusplus 195} 196#endif 197#endif /* _KMFPOLICY_H */ 198