TSFI

The evaluated interface of PKIF, i.e. the target of evaluation security function interface (TSFI), is a subset of the interface exported from PKIF.dll. PKIF is being evaluated against the following packages from the U.S. Government Family of Protection Profiles for Public-Key Enabled Applications:

1. Certification Path Validation (CPV) – Basic Package,

2. CPV – Basic Policy Package,

3. CPV – Policy Mapping Package,

4. CPV – Name Constraints Package,

5. PKI Signature Generation Package,

6. PKI Signature Verification Package,

7. PKI Encryption using Key Transfer Algorithms Package,

8. PKI Decryption using Key Transfer Algorithms Package,

9. Online Certificate Status Protocol (OCSP) Client Package, and

10. Certificate Revocation List (CRL) Validation Package

PKIF functionality is divided into the following seven functional subsystems:

· Certificate/CRL Storage and Retrieval

· Cryptography

· Certification Path Processing

· Cryptographic Message Syntax

· Revocation Status

· X.509 and RFC 3280 Objects

· Timestamps

· Miscellaneous Functionality

Summary of PKIF security functionality can be found here

For each subsystem, a comprehensive reference book is provided as part of this help system. However, application developers need not be familiar with the entire library to enable an application to utilize the services provides by a PKI. The functionality addressed by the PP can be grouped into three categories: certification path processing, signature processing and public-key encryption processing.

To use PKIF for certification path processing, an application developer can elect to use the BuildAndValidatePath function of CPKIFPathProcessingMediator2 class to perform path development and path validation in a single function call or can use the BuildPath and ValidatePath functions of CPKIFPathProcessingMediator2 class to perform path development and validation directly.

Signature processing can be performed using the CPKIFSignedData class. CPKIFSignedData enables application developers to create and/or verify signed messages conforming to the Cryptographic Message Syntax specification. Verification can include certification path processing, enabling applications to verify a signature and perform certification path development and validation using a single function call.

Public-key encryption processing can be performed using the CPKIFEnvelopedData class. CPKIFEnvelopedData enables application developers to create and/or decrypt encrypted messages conforming to the Cryptographic Message Syntax specification. Encryption can include certification path processing for the recipient’s certificate.

The classes and interfaces described above require support from additional classes and functions in order to provide the intended functionality to applications and to address the requirements established in the PP. The list below identifies the functions, classes and class methods used by application developers to exercise the functionality addressed by the PP.

Certificate and CRL Storage and Retrieval

1) void CPKIFCacheMediator2::AddColleague(IPKIFColleaguePtr&)

2) CPKIFLDAPRepository::CPKIFLDAPRepository(void)

3) void CPKIFLDAPRepository::Set_Port(int)

4) void CPKIFLDAPRepository::SetHost(const char *)

Cryptography

5) const char * CPKIFCredential::ID(void)

6) const char * CPKIFCredential::Name(void)

7) void CPKIFCryptoMediator2::GetKeyList(CPKIFCredentialList &, std::bitset<9> *)

Cryptographic Message Syntax

8) CPKIFEncapsulatedContentInfo::CPKIFEncapsulatedContentInfo(void)

9) CPKIFBufferPtr CPKIFEncapsulatedContentInfo::GetContent(void)