policy.h

Go to the documentation of this file.

/*
 * Copyright 2013-2016 Guardtime, Inc.
 *
 * This file is part of the Guardtime client SDK.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *     http://www.apache.org/licenses/LICENSE-2.0
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES, CONDITIONS, OR OTHER LICENSES OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 * "Guardtime" and "KSI" are trademarks or registered trademarks of
 * Guardtime, Inc., and no license to trademarks is granted; Guardtime
 * reserves and retains all trademark rights.
 */

#ifndef POLICY_H
#define POLICY_H

#include "types.h"
#include "ksi.h"
#include "common.h"

#ifdef  __cplusplus
extern "C" {
#endif

        struct KSI_VerificationContext_st {
                KSI_CTX *ctx;

                KSI_Signature *signature;

                int extendingAllowed;

                KSI_uint64_t docAggrLevel;

                const KSI_DataHash *documentHash;

                const KSI_PublicationData *userPublication;

                KSI_PublicationsFile *userPublicationsFile;

                void *tempData;
        };

        typedef enum KSI_VerificationResultCode_en {
                KSI_VER_RES_OK = 0x00,
                KSI_VER_RES_NA = 0x01,
                KSI_VER_RES_FAIL = 0x02,
        } KSI_VerificationResultCode;

        #define KSI_VERIFICATION_ERROR_CODE_LIST\
                /*Type  Code  Offset  StrCode      Description*/\
                _(GEN,  1,    0x100,  "GEN-01",    "Wrong document")\
                _(GEN,  2,    0x100,  "GEN-02",    "Verification inconclusive") \
                _(GEN,  3,    0x100,  "GEN-03",    "Input hash level too large") \
                _(GEN,  4,    0x100,  "GEN-04",    "Wrong input hash algorithm") \
                \
                _(INT,  1,    0x200,  "INT-01",    "Inconsistent aggregation hash chains") \
                _(INT,  2,    0x200,  "INT-02",    "Inconsistent aggregation hash chain aggregation times") \
                _(INT,  3,    0x200,  "INT-03",    "Calendar hash chain input hash mismatch") \
                _(INT,  4,    0x200,  "INT-04",    "Calendar hash chain aggregation time mismatch") \
                _(INT,  5,    0x200,  "INT-05",    "Calendar hash chain shape inconsistent with aggregation time") \
                _(INT,  6,    0x200,  "INT-06",    "Calendar hash chain time inconsistent with calendar authentication record time") \
                _(INT,  7,    0x200,  "INT-07",    "Calendar hash chain time inconsistent with publication time") \
                _(INT,  8,    0x200,  "INT-08",    "Calendar hash chain root hash is inconsistent with calendar authentication record input hash") \
                _(INT,  9,    0x200,  "INT-09",    "Calendar hash chain root hash is inconsistent with published hash value") \
                _(INT,  10,   0x200,  "INT-10",    "Aggregation hash chain chain index mismatch") \
                _(INT,  11,   0x200,  "INT-11",    "The metadata record in the aggregation hash chain may not be trusted") \
                _(INT,  12,   0x200,  "INT-12",    "Inconsistent chain indexes") \
                _(INT,  13,   0x200,  "INT-13",    "Document hash algorithm deprecated at the time of signing") \
                _(INT,  14,   0x200,  "INT-14",    "RFC3161 compatibility record composed of hash algorithms that where deprecated at the time of signing") \
                _(INT,  15,   0x200,  "INT-15",    "Aggregation hash chain uses hash algorithm that was deprecated at the time of signing") \
                _(INT,  16,   0x200,  "INT-16",    "Calendar hash chain hash algorithm was obsolete at publication time") \
                _(INT,  17,   0x200,  "INT-17",    "The RFC3161 compatibility record output hash algorithm was deprecated at the time of signing") \
                \
                _(PUB,  1,    0x300,  "PUB-01",    "Extender response calendar root hash mismatch") \
                _(PUB,  2,    0x300,  "PUB-02",    "Extender response inconsistent") \
                _(PUB,  3,    0x300,  "PUB-03",    "Extender response input hash mismatch") \
                _(PUB,  4,    0x300,  "PUB-04",    "Publication record hash and user provided publication hash mismatch") \
                _(PUB,  5,    0x300,  "PUB-05",    "Publication record hash and publications file publication hash mismatch") \
                \
                _(KEY,  1,    0x400,  "KEY-01",    "Certificate not found") \
                _(KEY,  2,    0x400,  "KEY-02",    "PKI signature not verified with certificate") \
                _(KEY,  3,    0x400,  "KEY-03",    "Signing certificate not valid at aggregation time") \
                \
                _(CAL,  1,    0x500,  "CAL-01",    "Calendar root hash mismatch between signature and calendar database chain") \
                _(CAL,  2,    0x500,  "CAL-02",    "Aggregation hash chain root hash and calendar database hash chain input hash mismatch") \
                _(CAL,  3,    0x500,  "CAL-03",    "Aggregation time mismatch") \
                _(CAL,  4,    0x500,  "CAL-04",    "Calendar hash chain right links are inconsistent")

        typedef enum KSI_VerificationErrorCode_en {
                KSI_VER_ERR_NONE = 0x00,
#define _(type, code, offset, cor, desc) KSI_VER_ERR_##type##_##code = (offset + code),
                KSI_VERIFICATION_ERROR_CODE_LIST
#undef _
                __NOF_VER_ERRORS
        } KSI_VerificationErrorCode;

        struct KSI_RuleVerificationResult_st {
                KSI_VerificationResultCode resultCode;
                KSI_VerificationErrorCode errorCode;
                const char *ruleName;
                const char *policyName;
                size_t stepsPerformed;
                size_t stepsSuccessful;
                size_t stepsFailed;
        };

        typedef struct KSI_RuleVerificationResult_st KSI_RuleVerificationResult;

        KSI_DEFINE_LIST(KSI_RuleVerificationResult);
#define KSI_RuleVerificationResultList_append(lst, o) KSI_APPLY_TO_NOT_NULL((lst), append, ((lst), (o)))
#define KSI_RuleVerificationResultList_remove(lst, pos, o) KSI_APPLY_TO_NOT_NULL((lst), removeElement, ((lst), (pos), (o)))
#define KSI_RuleVerificationResultList_indexOf(lst, o, i) KSI_APPLY_TO_NOT_NULL((lst), indexOf, ((lst), (o), (i)))
#define KSI_RuleVerificationResultList_insertAt(lst, pos, o) KSI_APPLY_TO_NOT_NULL((lst), insertAt, ((lst), (pos), (o)))
#define KSI_RuleVerificationResultList_replaceAt(lst, pos, o) KSI_APPLY_TO_NOT_NULL((lst), replaceAt, ((lst), (pos), (o)))
#define KSI_RuleVerificationResultList_elementAt(lst, pos, o) KSI_APPLY_TO_NOT_NULL((lst), elementAt, ((lst), (pos), (o)))
#define KSI_RuleVerificationResultList_length(lst) (((lst) != NULL && (lst)->length != NULL) ? (lst)->length((lst)) : 0)
#define KSI_RuleVerificationResultList_find(lst, o,f, i) KSI_APPLY_TO_NOT_NULL((lst), find, ((lst), (o), (f), (i)))

#define KSI_TlvElementList_sort(lst, cmp) KSI_APPLY_TO_NOT_NULL((lst), sort, ((lst), (cmp)))
#define KSI_TlvElementList_foldl(lst, foldCtx, foldFn) (((lst) != NULL) ? (((lst)->foldl != NULL) ? ((lst)->foldl((lst), (foldCtx), (foldFn))) : KSI_INVALID_STATE) : KSI_OK)
#define KSI_TlvElementList_find(lst, o,f, i) KSI_APPLY_TO_NOT_NULL((lst), find, ((lst), (o), (f), (i)))

        struct KSI_PolicyVerificationResult_st {
                size_t ref;
                KSI_VerificationResultCode resultCode;
                KSI_RuleVerificationResult finalResult;
                KSI_LIST(KSI_RuleVerificationResult) *ruleResults;
                KSI_LIST(KSI_RuleVerificationResult) *policyResults;
        };

        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_EMPTY);
        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_INTERNAL);
        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_CALENDAR_BASED);
        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_KEY_BASED);
        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_PUBLICATIONS_FILE_BASED);
        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_USER_PUBLICATION_BASED);
        KSI_DEFINE_EXTERN(const KSI_Policy* KSI_VERIFICATION_POLICY_GENERAL);

        typedef enum RuleType_en {
                KSI_RULE_TYPE_BASIC,
                KSI_RULE_TYPE_COMPOSITE_AND,
                KSI_RULE_TYPE_COMPOSITE_OR
        } KSI_RuleType;

        typedef struct KSI_Rule_st {
                KSI_RuleType type;
                const void *rule;
        } KSI_Rule;

        const char *KSI_VerificationErrorCode_toString(int errorCode);

        int KSI_VerificationErrorCode_fromString(const char *errCodeStr);

        const char *KSI_Policy_getErrorString(int errorCode);

        int KSI_Policy_create(KSI_CTX *ctx, const KSI_Rule *rules, const char *name, KSI_Policy **policy);

        int KSI_Policy_clone(KSI_CTX *ctx, const KSI_Policy *policy, KSI_Policy **clone);

        int KSI_Policy_setFallback(KSI_CTX *ctx, KSI_Policy *policy, const KSI_Policy *fallback);

        int KSI_SignatureVerifier_verify(const KSI_Policy *policy, KSI_VerificationContext *context, KSI_PolicyVerificationResult **result);

        void KSI_Policy_free(KSI_Policy *policy);

        void KSI_PolicyVerificationResult_free(KSI_PolicyVerificationResult *result);

        void KSI_VerificationContext_clean(KSI_VerificationContext *context);

        int KSI_VerificationContext_init(KSI_VerificationContext *context, KSI_CTX *ctx);

#ifdef  __cplusplus
}
#endif

#endif  /* POLICY_H */