libkmf/include/kmfpolicy.h

	kmfpolicy.h revision 30a5e8fa1253cb33980ee4514743cf683f584b4e
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * or http://www.opensolaris.org/os/licensing.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Use is subject to license terms.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifndef _KMFPOLICY_H
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define _KMFPOLICY_H
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#pragma ident   "%Z%%M% %I% %E% SMI"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <kmfapi.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <libxml/tree.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <libxml/parser.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef __cplusplus
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysextern "C" {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char        *name;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char        *serial;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}KMF_RESP_CERT_POLICY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char        *responderURI;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char        *proxy;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t   uri_from_cert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char        *response_lifetime;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t   ignore_response_sign;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}KMF_OCSP_BASIC_POLICY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OCSP_BASIC_POLICY   basic;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RESP_CERT_POLICY    resp_cert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t       has_resp_cert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}KMF_OCSP_POLICY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *basefilename;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *directory;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *proxy;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t get_crl_uri;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t ignore_crl_sign;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t ignore_crl_date;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}KMF_CRL_POLICY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OCSP_POLICY ocsp_info;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_CRL_POLICY  crl_info;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}KMF_VALIDATION_POLICY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int     eku_count;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OID     *ekulist;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}KMF_EKU_POLICY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_REVOCATION_METHOD_CRL       0x1
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_REVOCATION_METHOD_OCSP      0x2
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char            *name;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_VALIDATION_POLICY   validation_info;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_EKU_POLICY      eku_set;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t        ku_bits;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t       ignore_date;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t       ignore_unknown_ekus;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t       ignore_trust_anchor;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char            *validity_adjusttime;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char            *ta_name;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char            *ta_serial;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t        revocation;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys} KMF_POLICY_RECORD;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Short cut for ocsp_info and etc.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP            validation_info.ocsp_info
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_BASIC          VAL_OCSP.basic
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_RESPONDER_URI      VAL_OCSP_BASIC.responderURI
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_PROXY          VAL_OCSP_BASIC.proxy
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_URI_FROM_CERT      VAL_OCSP_BASIC.uri_from_cert
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_RESP_LIFETIME      VAL_OCSP_BASIC.response_lifetime
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_IGNORE_RESP_SIGN   VAL_OCSP_BASIC.ignore_response_sign
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_RESP_CERT      VAL_OCSP.resp_cert
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_RESP_CERT_NAME     VAL_OCSP_RESP_CERT.name
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_OCSP_RESP_CERT_SERIAL   VAL_OCSP_RESP_CERT.serial
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Short cut for crl_info and etc.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL         validation_info.crl_info
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL_BASEFILENAME    validation_info.crl_info.basefilename
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL_DIRECTORY   validation_info.crl_info.directory
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL_GET_URI     validation_info.crl_info.get_crl_uri
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL_PROXY       validation_info.crl_info.proxy
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL_IGNORE_SIGN validation_info.crl_info.ignore_crl_sign
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define VAL_CRL_IGNORE_DATE validation_info.crl_info.ignore_crl_date
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Policy related constant definitions.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_POLICY_DTD      "/usr/share/lib/xml/dtd/kmfpolicy.dtd"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_DEFAULT_POLICY_FILE "/etc/security/kmfpolicy.xml"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_DEFAULT_POLICY_NAME "default"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_POLICY_ROOT "kmf-policy-db"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KULOWBIT    7
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KUHIGHBIT   15
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_POLICY_ELEMENT      "kmf-policy"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_POLICY_NAME_ATTR        "name"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OPTIONS_IGNORE_DATE_ATTR    "ignore-date"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OPTIONS_IGNORE_UNKNOWN_EKUS "ignore-unknown-eku"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OPTIONS_IGNORE_TRUST_ANCHOR "ignore-trust-anchor"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OPTIONS_VALIDITY_ADJUSTTIME "validity-adjusttime"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_POLICY_TA_NAME_ATTR     "ta-name"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_POLICY_TA_SERIAL_ATTR   "ta-serial"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_VALIDATION_METHODS_ELEMENT  "validation-methods"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_ELEMENT        "ocsp"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_BASIC_ELEMENT      "ocsp-basic"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_RESPONDER_ATTR     "responder"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_PROXY_ATTR     "proxy"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_URI_ATTR       "uri-from-cert"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_RESPONSE_LIFETIME_ATTR "response-lifetime"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_IGNORE_SIGN_ATTR   "ignore-response-sign"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_OCSP_RESPONDER_CERT_ELEMENT "responder-cert"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CERT_NAME_ATTR      "name"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CERT_SERIAL_ATTR        "serial"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_ELEMENT         "crl"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_BASENAME_ATTR       "basefilename"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_DIRECTORY_ATTR      "directory"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_GET_URI_ATTR        "get-crl-uri"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_PROXY_ATTR      "proxy"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_IGNORE_SIGN_ATTR    "ignore-crl-sign"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_CRL_IGNORE_DATE_ATTR    "ignore-crl-date"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_KEY_USAGE_SET_ELEMENT   "key-usage-set"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_KEY_USAGE_ELEMENT       "key-usage"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_KEY_USAGE_USE_ATTR      "use"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_EKU_ELEMENT     "ext-key-usage"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_EKU_NAME_ELEMENT    "eku-name"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_EKU_NAME_ATTR   "name"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_EKU_OID_ELEMENT "eku-oid"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KMF_EKU_OID_ATTR    "oid"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define TMPFILE_TEMPLATE    "policyXXXXXX"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysextern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern char *kmf_oid_to_eku_string(KMF_OID *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern KMF_OID *kmf_ekuname_to_oid(char *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern KMF_RETURN kmf_get_policy(char *, char *, KMF_POLICY_RECORD *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern KMF_RETURN kmf_add_policy_to_db(KMF_POLICY_RECORD *, char *, boolean_t);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern KMF_RETURN kmf_delete_policy_from_db(char *, char *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern KMF_RETURN kmf_verify_policy(KMF_POLICY_RECORD *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern void kmf_free_policy_record(KMF_POLICY_RECORD *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextern void kmf_free_eku_policy(KMF_EKU_POLICY *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef __cplusplus
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* _KMFPOLICY_H */