448 		 * This should probably be a policy setting in the
519 	KMF_POLICY_RECORD *policy;
567 		policy = handle->policy;
569 		if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)
671 	KMF_POLICY_RECORD *policy;
711 		policy = handle->policy;
712 		if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)
841 	KMF_POLICY_RECORD *policy;
901 		policy = handle->policy;
903 		if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)
1090 	KMF_POLICY_RECORD *policy;
1123 	policy = handle->policy;
1125 	if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)
1188 	KMF_POLICY_RECORD *policy;
1217 	policy = handle->policy;
1219 	if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)
1479 	KMF_POLICY_RECORD *policy;
1484 	policy = handle->policy;
1498 	if (!policy->validation_info.crl_info.ignore_crl_sign) {
1507 	if (!policy->validation_info.crl_info.ignore_crl_date) {
1520 	KMF_POLICY_RECORD *policy;
1542 	policy = handle->policy;
1545 	 * If the get-crl-uri policy is TRUE, then download the CRL
1550 	 * For file-based plugins, if the get-crl-uri policy is FALSE,
1551 	 * then the caller should provide a CRL file in the policy.
1556 	basefilename = policy->validation_info.crl_info.basefilename;
1557 	dir = policy->validation_info.crl_info.directory;
1558 	if (policy->validation_info.crl_info.get_crl_uri) {
1599 		proxy = policy->validation_info.crl_info.proxy;
1647 		 * If the get_crl_uri policy is FALSE, for File-based CRL
1648 		 * plugins, get the input CRL file from the policy.
1744 	KMF_POLICY_RECORD *policy;
1760 	policy = handle->policy;
1763 	 * Get the response lifetime from policy.
1765 	if (policy->VAL_OCSP_BASIC.response_lifetime != NULL &&
1766 	    (str2lifetime(policy->VAL_OCSP_BASIC.response_lifetime, &ltime)
1771 	 * Get the ignore_response_sign policy.
1775 	 * policy.
1777 	ignore_response_sign = policy->VAL_OCSP_BASIC.ignore_response_sign;
1780 	    policy->VAL_OCSP.has_resp_cert == B_TRUE) {
1790 		if (policy->VAL_OCSP_RESP_CERT.name == NULL ||
1791 		    policy->VAL_OCSP_RESP_CERT.serial == NULL)
1801 		signer_name = policy->VAL_OCSP_RESP_CERT.name;
1803 		    (uchar_t *)policy->VAL_OCSP_RESP_CERT.serial,
1972 	KMF_POLICY_RECORD *policy;
1981 	policy = handle->policy;
1986 		if (policy->ku_bits) {
1987 			/* keyusage is not set in cert but is set in policy */
1990 			/* no keyusage set in both cert and policy */
2018 	 * Rule: if the KU bit is set in policy, the corresponding KU bit
2021 	if ((policy->ku_bits & keyusage.KeyUsageBits) == policy->ku_bits) {
2032 	KMF_POLICY_RECORD *policy;
2040 	policy = handle->policy;
2043 	 * If the policy does not have any EKU, then there is
2046 	if (policy->eku_set.eku_count == 0)
2080 			} else if (!policy->ignore_unknown_ekus) {
2088 	 * Build the EKU bitmap based on the policy
2090 	for (i = 0; i < policy->eku_set.eku_count; i++) {
2091 		if (IsEqualOid(&policy->eku_set.ekulist[i],
2094 		} else if (IsEqualOid(&policy->eku_set.ekulist[i],
2097 		} else if (IsEqualOid(&policy->eku_set.ekulist[i],
2100 		} else if (IsEqualOid(&policy->eku_set.ekulist[i],
2103 		} else if (IsEqualOid(&policy->eku_set.ekulist[i],
2106 		} else if (IsEqualOid(&policy->eku_set.ekulist[i],
2109 		} else if (!policy->ignore_unknown_ekus) {
2115 	 * Rule: if the EKU OID is set in policy, the corresponding EKU OID
2259 	KMF_POLICY_RECORD *policy;
2280 	/* Get the TA name and serial number from the policy */
2281 	policy = handle->policy;
2282 	ta_name = policy->ta_name;
2285 	 * Use name and serial from policy.
2287 	ret = kmf_hexstr_to_bytes((uchar_t *)policy->ta_serial,
2376 		if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)
2410 	KMF_POLICY_RECORD *policy;
2430 	policy = handle->policy;
2498 	 * This step is needed when "ignore_date" in policy is set
2501 	if (!policy->ignore_date) {
2511 	 * When "ignore_trust_anchor" in policy is set to FALSE,
2512 	 * we will try to find the TA cert based on the TA policy
2516 	 * are defined as optional attributes in policy dtd, but they
2517 	 * should exist in policy when "ignore_trust_anchor" is set
2518 	 * to FALSE. The policy verification code has enforced that.
2524 	if (policy->ignore_trust_anchor) {
2537 		if (policy->ta_name != NULL &&
2538 		    strcasecmp(policy->ta_name, "search") == 0) {
2580 	 * When CRL or OCSP revocation method is set in the policy,
2586 	if (!(policy->revocation & KMF_REVOCATION_METHOD_CRL) &&
2587 	    !(policy->revocation & KMF_REVOCATION_METHOD_OCSP)) {
2593 	 * (when policy->ta_name == "search"), get it here.
2598 	    policy->revocation & KMF_REVOCATION_METHOD_CRL ||
2599 	    policy->revocation & KMF_REVOCATION_METHOD_OCSP) {
2607 	if (policy->revocation & KMF_REVOCATION_METHOD_CRL &&
2615 	if (policy->revocation & KMF_REVOCATION_METHOD_OCSP &&
2791 	KMF_POLICY_RECORD *policy;
2801 	policy = handle->policy;
2817 	if (policy->validity_adjusttime != NULL) {
2818 		if (str2lifetime(policy->validity_adjusttime, &adj) < 0)
3267 	KMF_POLICY_RECORD	*policy;
3280 	policy = handle->policy;
3284 	if (ret == KMF_ERR_EXTENSION_NOT_FOUND && policy->ku_bits == 0)

Indexes created Tue Jul 24 14:28:13 CEST 2018