1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  *
21  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
22  */
23 #ifndef _KMFPOLICY_H
24 #define	_KMFPOLICY_H
25 
26 #include <kmfapi.h>
27 #include <kmfmapper.h>
28 #include <libxml/tree.h>
29 #include <libxml/parser.h>
30 
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34 
35 typedef struct {
36 	char		*name;
37 	char		*serial;
38 }KMF_RESP_CERT_POLICY;
39 
40 typedef struct {
41 	char		*responderURI;
42 	char		*proxy;
43 	boolean_t 	uri_from_cert;
44 	char		*response_lifetime;
45 	boolean_t	ignore_response_sign;
46 }KMF_OCSP_BASIC_POLICY;
47 
48 typedef struct {
49 	KMF_OCSP_BASIC_POLICY	basic;
50 	KMF_RESP_CERT_POLICY	resp_cert;
51 	boolean_t		has_resp_cert;
52 }KMF_OCSP_POLICY;
53 
54 typedef struct {
55 	char *basefilename;
56 	char *directory;
57 	char *proxy;
58 	boolean_t get_crl_uri;
59 	boolean_t ignore_crl_sign;
60 	boolean_t ignore_crl_date;
61 }KMF_CRL_POLICY;
62 
63 typedef struct {
64 	KMF_OCSP_POLICY	ocsp_info;
65 	KMF_CRL_POLICY	crl_info;
66 }KMF_VALIDATION_POLICY;
67 
68 typedef struct {
69 	int		eku_count;
70 	KMF_OID		*ekulist;
71 }KMF_EKU_POLICY;
72 
73 #define	KMF_REVOCATION_METHOD_CRL		0x1
74 #define	KMF_REVOCATION_METHOD_OCSP		0x2
75 
76 typedef struct {
77 	char			*name;
78 	KMF_VALIDATION_POLICY	validation_info;
79 	KMF_EKU_POLICY		eku_set;
80 	KMF_MAPPER_RECORD	mapper; /* kmfmapper.h */
81 	uint32_t		ku_bits;
82 	boolean_t		ignore_date;
83 	boolean_t		ignore_unknown_ekus;
84 	boolean_t		ignore_trust_anchor;
85 	char			*validity_adjusttime;
86 	char			*ta_name;
87 	char			*ta_serial;
88 	uint32_t		revocation;
89 } KMF_POLICY_RECORD;
90 
91 
92 /*
93  * Short cut for ocsp_info and etc.
94  */
95 #define	VAL_OCSP			validation_info.ocsp_info
96 
97 #define	VAL_OCSP_BASIC			VAL_OCSP.basic
98 #define	VAL_OCSP_RESPONDER_URI		VAL_OCSP_BASIC.responderURI
99 #define	VAL_OCSP_PROXY			VAL_OCSP_BASIC.proxy
100 #define	VAL_OCSP_URI_FROM_CERT		VAL_OCSP_BASIC.uri_from_cert
101 #define	VAL_OCSP_RESP_LIFETIME		VAL_OCSP_BASIC.response_lifetime
102 #define	VAL_OCSP_IGNORE_RESP_SIGN	VAL_OCSP_BASIC.ignore_response_sign
103 
104 #define	VAL_OCSP_RESP_CERT		VAL_OCSP.resp_cert
105 #define	VAL_OCSP_RESP_CERT_NAME		VAL_OCSP_RESP_CERT.name
106 #define	VAL_OCSP_RESP_CERT_SERIAL	VAL_OCSP_RESP_CERT.serial
107 
108 /*
109  * Short cut for crl_info and etc.
110  */
111 #define	VAL_CRL			validation_info.crl_info
112 #define	VAL_CRL_BASEFILENAME	validation_info.crl_info.basefilename
113 #define	VAL_CRL_DIRECTORY	validation_info.crl_info.directory
114 #define	VAL_CRL_GET_URI		validation_info.crl_info.get_crl_uri
115 #define	VAL_CRL_PROXY		validation_info.crl_info.proxy
116 #define	VAL_CRL_IGNORE_SIGN	validation_info.crl_info.ignore_crl_sign
117 #define	VAL_CRL_IGNORE_DATE	validation_info.crl_info.ignore_crl_date
118 
119 /*
120  * Policy related constant definitions.
121  */
122 #define	KMF_POLICY_DTD		"/usr/share/lib/xml/dtd/kmfpolicy.dtd"
123 #define	KMF_DEFAULT_POLICY_FILE	"/etc/security/kmfpolicy.xml"
124 
125 #define	KMF_DEFAULT_POLICY_NAME	"default"
126 
127 #define	KMF_POLICY_ROOT	"kmf-policy-db"
128 
129 #define	KULOWBIT	7
130 #define	KUHIGHBIT	15
131 
132 #define	KMF_POLICY_ELEMENT		"kmf-policy"
133 #define	KMF_POLICY_NAME_ATTR		"name"
134 #define	KMF_OPTIONS_IGNORE_DATE_ATTR	"ignore-date"
135 #define	KMF_OPTIONS_IGNORE_UNKNOWN_EKUS	"ignore-unknown-eku"
136 #define	KMF_OPTIONS_IGNORE_TRUST_ANCHOR	"ignore-trust-anchor"
137 #define	KMF_OPTIONS_VALIDITY_ADJUSTTIME	"validity-adjusttime"
138 #define	KMF_POLICY_TA_NAME_ATTR		"ta-name"
139 #define	KMF_POLICY_TA_SERIAL_ATTR	"ta-serial"
140 
141 #define	KMF_VALIDATION_METHODS_ELEMENT	"validation-methods"
142 
143 #define	KMF_OCSP_ELEMENT		"ocsp"
144 #define	KMF_OCSP_BASIC_ELEMENT		"ocsp-basic"
145 #define	KMF_OCSP_RESPONDER_ATTR		"responder"
146 #define	KMF_OCSP_PROXY_ATTR		"proxy"
147 #define	KMF_OCSP_URI_ATTR		"uri-from-cert"
148 #define	KMF_OCSP_RESPONSE_LIFETIME_ATTR	"response-lifetime"
149 #define	KMF_OCSP_IGNORE_SIGN_ATTR	"ignore-response-sign"
150 #define	KMF_OCSP_RESPONDER_CERT_ELEMENT	"responder-cert"
151 
152 #define	KMF_CERT_NAME_ATTR		"name"
153 #define	KMF_CERT_SERIAL_ATTR		"serial"
154 
155 #define	KMF_CRL_ELEMENT			"crl"
156 #define	KMF_CRL_BASENAME_ATTR		"basefilename"
157 #define	KMF_CRL_DIRECTORY_ATTR		"directory"
158 #define	KMF_CRL_GET_URI_ATTR		"get-crl-uri"
159 #define	KMF_CRL_PROXY_ATTR		"proxy"
160 #define	KMF_CRL_IGNORE_SIGN_ATTR	"ignore-crl-sign"
161 #define	KMF_CRL_IGNORE_DATE_ATTR	"ignore-crl-date"
162 
163 #define	KMF_KEY_USAGE_SET_ELEMENT	"key-usage-set"
164 #define	KMF_KEY_USAGE_ELEMENT		"key-usage"
165 #define	KMF_KEY_USAGE_USE_ATTR		"use"
166 
167 #define	KMF_EKU_ELEMENT		"ext-key-usage"
168 #define	KMF_EKU_NAME_ELEMENT	"eku-name"
169 #define	KMF_EKU_NAME_ATTR	"name"
170 #define	KMF_EKU_OID_ELEMENT	"eku-oid"
171 #define	KMF_EKU_OID_ATTR	"oid"
172 
173 #define	KMF_CERT_MAPPER_ELEMENT		"cert-to-name-mapping"
174 #define	KMF_CERT_MAPPER_NAME_ATTR	"mapper-name"
175 #define	KMF_CERT_MAPPER_DIR_ATTR	"mapper-directory"
176 #define	KMF_CERT_MAPPER_PATH_ATTR	"mapper-pathname"
177 #define	KMF_CERT_MAPPER_OPTIONS_ATTR	"mapper-options"
178 
179 #define	TMPFILE_TEMPLATE	"policyXXXXXX"
180 
181 extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *);
182 
183 extern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *);
184 extern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t);
185 extern KMF_RETURN kmf_delete_policy_from_db(char *, char *);
186 extern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *);
187 
188 extern void kmf_free_policy_record(KMF_POLICY_RECORD *);
189 extern void kmf_free_eku_policy(KMF_EKU_POLICY *);
190 
191 #ifdef __cplusplus
192 }
193 #endif
194 #endif /* _KMFPOLICY_H */
195