PKIF implements path development and validation as an iterative process, i.e. a path is developed, validation attempted, if validation failed another path is developed, validation attempted, and so forth. As shown below, this is typically implemented using a do…while structure. Additionally, this sample demonstrates the use of a non-CAPI trust store.
Supported Languages
CPKIFPathValidationResultsPtr
g_pvr;
RevocationSourceList g_rsl;
void
BuildingAndValidatingACertificatePath()
{
//Create an
initialize a crypto mediator containing default colleagues
CPKIFCryptoMediator2Ptr cryptoMed(new CPKIFCryptoMediator2(true));
cryptoMed->InitializeMediator(NULL);
//Create an
initialize a revocation status mediator containing
//the default
colleague
CPKIFRevocationStatusMediator2Ptr
revocStatMed(new
CPKIFRevocationStatusMediator2());
revocStatMed->InitializeMediator(NULL);
CPKIFX509CRLCheckerPtr crlChecker(new CPKIFX509CRLChecker());
CPKIFOCSPCheckerPtr ocspChecker(new CPKIFOCSPChecker());
ocspChecker->SetHost("ocsp.openvalidation.org");
//include OCSP
responder to generate additional revocation info
revocStatMed->AddColleague(dynamic_pointer_cast<IPKIFColleague,
CPKIFOCSPChecker>(ocspChecker));
revocStatMed->AddColleague(dynamic_pointer_cast<IPKIFColleague,
CPKIFX509CRLChecker>(crlChecker));
//Create and
intialize an empty cache mediator object
CPKIFCacheMediator2Ptr cacheMed(new CPKIFCacheMediator2());
cacheMed->InitializeMediator(NULL);
//Create a CAPI
repository object and add it to the mediator object directly
CPKIFCAPIRepository2Ptr capiRepCol(new CPKIFCAPIRepository2());
cacheMed->AddColleague(dynamic_pointer_cast<IPKIFColleague,
CPKIFCAPIRepository2>(capiRepCol));
//Create an
initialize a crypto mediator containing default colleagues
CPKIFPathProcessingMediator2Ptr pm(new CPKIFPathProcessingMediator2(true));
pm->InitializeMediator(NULL);
//Associated the
cache, crypto and revocation status mediators
//with the path
mediator
pm->AddMediator(dynamic_pointer_cast<IPKIFMediator,
CPKIFCacheMediator2>(cacheMed));
pm->AddMediator(dynamic_pointer_cast<IPKIFMediator,
CPKIFCryptoMediator2>(cryptoMed));
pm->AddMediator(dynamic_pointer_cast<IPKIFMediator,
CPKIFRevocationStatusMediator2>(revocStatMed));
//Create a user
certificate and a root certificate object using
//buffers
contained in certs.cpp
CPKIFCertificatePtr userCert(new CPKIFCertificate);
userCert->Decode(userCertBuf,
userCertBufLen);
CPKIFCertificatePtr rootCert(new CPKIFCertificate);
rootCert->Decode(rootCertBuf,
rootCertBufLen);
//Create an
in-memory trust root store
SimpleRootStorePtr srs(new SimpleRootStore());
//Get a pointer
to the cache mediator from the path mediator
//and add the
root store object as a colleague
CPKIFCacheMediator2* cm =
pm->GetMediator<CPKIFCacheMediator2>();
cm->AddColleague(dynamic_pointer_cast<IPKIFColleague,
SimpleRootStore>(srs));
//Create an
in-memory trust CRL store and add it to the cache
//mediator as a
colleague
SimpleCRLCachePtr scc(new SimpleCRLCache());
cm->AddColleague(dynamic_pointer_cast<IPKIFColleague,
SimpleCRLCache>(scc));
//Pack the root
cert into a trust root object and add it to the simple root store
CPKIFTrustRootPtr trustRoot(new CPKIFTrustRoot);
trustRoot->SetCert(rootCert);
srs->AddTrustRoot(trustRoot);
//Create a CRL
object with the root CRL and add it to the simple CRL store
CPKIFCRLPtr cgCRL(new
CPKIFCRL);
cgCRL->Decode(cgCRLBuf, cgCRLBufLen);
CPKIFGeneralNamePtr emptyDP;
scc->AddCRL(cgCRL, emptyDP);
//Declare a path
object and set the target cert
CPKIFCertificatePath path;
path.SetTarget(userCert);
//Optionally,
prepare a path settings object with desired validation inputs
//and set it on
the path object.
bool
pathStatusDeterminationMade = false;
CPKIFPathValidationResultsPtr valResults(new CPKIFPathValidationResults());
g_pvr = valResults;
do
{
//attempt
to build a path
if(!pm->BuildPath(path))
{
//if
no more paths can be built, break out of the do/while loop
break;
}
else
{
//try
to validate the path
CPKIFFuncStoragePtr empty;
pm->ValidatePath(path,
*valResults, empty);
//inspect
status, builder statistics, path, etc. regardless of outcome
cout << "Displaying validation results..."
<< endl;
CPKIFPathLogger::LogValidationResults(*valResults,
path, "Sample output", &cout);
//See
the "Working with path validation results" sample for additional
details
//if
validation was successful - break out of the loop
//otherwise
try to build another path
if(NOT_REVOKED
== valResults->GetRevocationStatusMostSevere())
break;
}
}
while(true);
cout << endl;
if(valResults->PathSuccessfullyValidated())
cout << "Successfully built and validated a path"
<< endl;
else
cout << "Failed to Build and validate a path"
<< endl;
}
CPKIFPathValidationResultsPtr g_pvr;
RevocationSourceList g_rsl;
public void BuildingAndValidatingACertificatePath()
{
//Create and
initialize a crypto mediator with the default colleagues
IPKIFColleaguePtr
cryptoMedInter = pkif_module.make_NewCPKIFCryptoMediator2(true);
CPKIFCryptoMediator2
cryptoMed = pkif_module.Get_CryptoMediator(cryptoMedInter);
cryptoMed.InitializeMediator();
//Create an
initialize a revocation status mediator containing
//the default
colleague
IPKIFColleaguePtr
rsmInter = pkif_module.make_NewCPKIFRevocationStatusMediator2(true);
CPKIFRevocationStatusMediator2
rsm = pkif_module.Get_RevocationStatusMediator(rsmInter);
rsm.InitializeMediator();
IPKIFColleaguePtr
crlCheckerCol = pkif_module.make_NewCPKIFX509CRLChecker();
CPKIFX509CRLCheckerPtr
crlChecker = pkif_module.cast_ToCPKIFX509CRLChecker(crlCheckerCol);
IPKIFColleaguePtr
ocspCheckerCol = pkif_module.make_NewCPKIFOCSPChecker();
CPKIFOCSPCheckerPtr
ocspChecker = pkif_module.cast_ToCPKIFOCSPChecker(ocspCheckerCol);
ocspChecker.SetHost("ocsp.openvalidation.org");
ocspChecker.Set_Port(80);
//include OCSP
responder to generate additional revocation info
rsm.AddColleague(ocspCheckerCol);
rsm.AddColleague(crlCheckerCol);
//Create and
intialize an empty cache mediator object
IPKIFColleaguePtr
cacheMedInter = pkif_module.make_NewCPKIFCacheMediator2(false);
CPKIFCacheMediator2
cacheMed = pkif_module.Get_CacheMediator(cacheMedInter);
cacheMed.InitializeMediator();
//Create a CAPI
repository object and add it to the mediator object directly
IPKIFColleaguePtr
capiRepCol = pkif_module.make_NewCPKIFCAPIRepository2();
CPKIFCAPIRepository2Ptr
capiRep = pkif_module.cast_ToCPKIFCAPIRepository2(capiRepCol);
cacheMed.AddColleague(capiRepCol);
//Create and
initialize a path mediator with the default colleagues
IPKIFColleaguePtr
pmInter = pkif_module.make_NewCPKIFPathProcessingMediator2(true);
CPKIFPathProcessingMediator2
pm = pkif_module.Get_PathProcessingMediator(pmInter);
pmInter.InitializeMediator();
//Associated the
cache, crypto and revocation status mediators
//with the path
mediator
pm.AddMediator(cacheMedInter);
pm.AddMediator(cryptoMedInter);
pm.AddMediator(rsmInter);
//Create a user
certificate and a root certificate object using
//buffers
contained in certs.cpp
CPKIFCertificatePtr
userCert = pkif_module.make_CPKIFCertificatePtr();
userCert.Decode(userCertBuf,
userCertBuf.Length);
CPKIFCertificatePtr
rootCert = pkif_module.make_CPKIFCertificatePtr();
rootCert.Decode(rootCertBuf,
rootCertBuf.Length);
//Create an
in-memory trust root store
IPKIFColleaguePtr
srsCol = pkif_module.make_NewSimpleRootStore();
SimpleRootStorePtr
srs = pkif_module.cast_ToSimpleRootStore(srsCol);
//Get a pointer
to the cache mediator from the path mediator
//and add the
root store object as a colleague
CPKIFCacheMediator2
cm = pkif_module.Get_CacheMediator(pmInter);
cm.AddColleague(srsCol);
//Create an
in-memory trust CRL store and add it to the cache
//mediator as a
colleague
IPKIFColleaguePtr
sccCol = pkif_module.make_NewSimpleCRLCache();
SimpleCRLCachePtr
scc = pkif_module.cast_ToSimpleCRLCache(sccCol);
cm.AddColleague(sccCol);
//Pack the root
cert into a trust root object and add it to the simple root store
CPKIFTrustRootPtr
trustRoot = pkif_module.make_CPKIFTrustRootPtr();
trustRoot.SetCert(rootCert);
srs.AddTrustRoot(pkif_module.cast_ToIPKIFTrustAnchorPtr(trustRoot));
//Create a CRL
object with the root CRL and add it to the simple CRL store
CPKIFCRLPtr
cgCRL = pkif_module.make_CPKIFCRLPtr();
cgCRL.Decode(cgCRLBuf, cgCRLBuf.Length);
CPKIFGeneralNamePtr
emptyDP = pkif_module.make_CPKIFGeneralNamePtr();
scc.AddCRL(cgCRL, emptyDP);
//Declare a path
object and set the target cert
CPKIFCertificatePathPtr
path = pkif_module.make_CPKIFCertificatePathPtr();
path.SetTarget(userCert);
//Optionally,
prepare a path settings object with desired validation inputs
//and set it on
the path object.
bool
pathStatusDeterminationMade = false;
CPKIFPathValidationResultsPtr
valResults = pkif_module.make_CPKIFPathValidationResultsPtr();
g_pvr = valResults;
do
{
//attempt to
build a path
if(!pm.BuildPath(path.get()))
{
//if no more paths can be built, break out of
the do/while loop
break;
}
else
{
//try to validate the path
CPKIFFuncStoragePtr empty = pkif_module.make_Null_CPKIFFuncStoragePtr();
pm.ValidatePath(path.get(), valResults.get(), empty);
//inspect status, builder statistics, path,
etc. regardless of outcome
Console.WriteLine("Displaying validation results...");
string
log = pkif_module.GetValidationResultsLog(valResults,
path, "Sample output");
Console.Write(log);
//See the "Working with path validation
results" sample for additional details
//if validation was successful - break out of
the loop
//otherwise try to build another path
if
(RevocationStatus.NOT_REVOKED ==
valResults.GetRevocationStatusMostSevere())
break;
}
}
while(true);
Console.WriteLine();
if(valResults.PathSuccessfullyValidated())
Console.WriteLine("Successfully built and validated a path");
else
Console.WriteLine("Failed to Build and validate a path");
}
CPKIFPathValidationResultsPtr
g_pvr;
RevocationSourceList
g_rsl;
public void
BuildingAndValidatingACertificatePath()
{
//Create and initialize a crypto
mediator with the default colleagues
IPKIFColleaguePtr cryptoMedInter =
pkif_module.make_NewCPKIFCryptoMediator2(true);
CPKIFCryptoMediator2 cryptoMed = pkif_module.Get_CryptoMediator(cryptoMedInter);
cryptoMed.InitializeMediator();
//Create an initialize a revocation
status mediator containing
//the default colleague
IPKIFColleaguePtr rsmInter = pkif_module.make_NewCPKIFRevocationStatusMediator2(true);
CPKIFRevocationStatusMediator2 rsm =
pkif_module.Get_RevocationStatusMediator(rsmInter);
rsm.InitializeMediator();
IPKIFColleaguePtr crlCheckerCol =
pkif_module.make_NewCPKIFX509CRLChecker();
CPKIFX509CRLCheckerPtr crlChecker =
pkif_module.cast_ToCPKIFX509CRLChecker(crlCheckerCol);
IPKIFColleaguePtr ocspCheckerCol =
pkif_module.make_NewCPKIFOCSPChecker();
CPKIFOCSPCheckerPtr ocspChecker =
pkif_module.cast_ToCPKIFOCSPChecker(ocspCheckerCol);
ocspChecker.SetHost("ocsp.openvalidation.org");
ocspChecker.Set_Port(80);
//include OCSP responder to generate
additional revocation info
rsm.AddColleague(ocspCheckerCol);
rsm.AddColleague(crlCheckerCol);
//Create and intialize an empty cache
mediator object
IPKIFColleaguePtr cacheMedInter =
pkif_module.make_NewCPKIFCacheMediator2(false);
CPKIFCacheMediator2 cacheMed = pkif_module.Get_CacheMediator(cacheMedInter);
cacheMed.InitializeMediator();
//Create a CAPI repository object and
add it to the mediator object directly
IPKIFColleaguePtr capiRepCol = pkif_module.make_NewCPKIFCAPIRepository2();
CPKIFCAPIRepository2Ptr capiRep =
pkif_module.cast_ToCPKIFCAPIRepository2(capiRepCol);
cacheMed.AddColleague(capiRepCol);
//Create and initialize a path
mediator with the default colleagues
IPKIFColleaguePtr pmInter = pkif_module.make_NewCPKIFPathProcessingMediator2(true);
CPKIFPathProcessingMediator2 pm =
pkif_module.Get_PathProcessingMediator(pmInter);
pmInter.InitializeMediator();
//Associated the cache, crypto and
revocation status mediators
//with the path mediator
pm.AddMediator(cacheMedInter);
pm.AddMediator(cryptoMedInter);
pm.AddMediator(rsmInter);
//Create a user certificate and a root
certificate object using
//buffers contained in certs.cpp
CPKIFCertificatePtr userCert = pkif_module.make_CPKIFCertificatePtr();
userCert.Decode(IntArrayToByteArray(userCertBuf), userCertBuf.length);
CPKIFCertificatePtr rootCert = pkif_module.make_CPKIFCertificatePtr();
rootCert.Decode(IntArrayToByteArray(rootCertBuf), rootCertBuf.length);
//Create an in-memory trust root store
IPKIFColleaguePtr srsCol = pkif_module.make_NewSimpleRootStore();
SimpleRootStorePtr srs = pkif_module.cast_ToSimpleRootStore(srsCol);
//Get a pointer to the cache mediator
from the path mediator
//and add the root store object as a
colleague
CPKIFCacheMediator2 cm = pkif_module.Get_CacheMediator(pmInter);
cm.AddColleague(srsCol);
//Create an in-memory trust CRL store
and add it to the cache
//mediator as a colleague
IPKIFColleaguePtr sccCol = pkif_module.make_NewSimpleCRLCache();
SimpleCRLCachePtr scc = pkif_module.cast_ToSimpleCRLCache(sccCol);
cm.AddColleague(sccCol);
//Pack the root cert into a trust root
object and add it to the simple root store
CPKIFTrustRootPtr trustRoot = pkif_module.make_CPKIFTrustRootPtr();
trustRoot.SetCert(rootCert);
srs.AddTrustRoot(pkif_module.cast_ToIPKIFTrustAnchorPtr(trustRoot));
//Create a CRL object with the root
CRL and add it to the simple CRL store
CPKIFCRLPtr cgCRL = pkif_module.make_CPKIFCRLPtr();
cgCRL.Decode(IntArrayToByteArray(cgCRLBuf), cgCRLBuf.length);
CPKIFGeneralNamePtr emptyDP = pkif_module.make_CPKIFGeneralNamePtr();
scc.AddCRL(cgCRL, emptyDP);
//Declare a path object and set the
target cert
CPKIFCertificatePathPtr path = pkif_module.make_CPKIFCertificatePathPtr();
path.SetTarget(userCert);
//Optionally, prepare a path settings
object with desired validation inputs
//and set it on the path object.
boolean
pathStatusDeterminationMade = false;
CPKIFPathValidationResultsPtr valResults =
pkif_module.make_CPKIFPathValidationResultsPtr();
g_pvr = valResults;
do
{
//attempt to build a path
if(!pm.BuildPath(path.get()))
{
//if no more paths can be built, break out of the do/while loop
break;
}
else
{
//try to validate the path
CPKIFFuncStoragePtr empty = pkif_module.make_Null_CPKIFFuncStoragePtr();
pm.ValidatePath(path.get(), valResults.get(), empty);
//inspect status, builder statistics, path, etc. regardless of
outcome
System.out.println("Displaying validation results...");
String log = pkif_module.GetValidationResultsLog(valResults,
path, "Sample output");
BufferedWriter out = new BufferedWriter(new
OutputStreamWriter(System.out));
try
{
out.write(log);
out.flush();
}catch(IOException e)
{
System.out.println("Error
reading user input");
try
{
out.close();
}catch(IOException k)
{
System.out.println("Error closing BufferedReader");
}
}
//See the "Working with path validation results"
sample for additional details
//if validation was successful - break out of the loop
//otherwise try to build another path
if (RevocationStatus.NOT_REVOKED ==
valResults.GetRevocationStatusMostSevere())
break;
}
}
while(true);
System.out.println();
if(valResults.PathSuccessfullyValidated())
System.out.println("Successfully
built and validated a path");
else
System.out.println("Failed
to Build and validate a path");
}