BasicChecksUtils.cpp

Go to the documentation of this file.

#include "AlgorithmIdentifier.h"
#include "BasicChecksUtils.h"
#include "Buffer.h"
#include "Certificate.h"
#include "CertificateNodeListWithSourceInfo.h"
#include "GeneralName.h"
#include "GeneralSubtree.h"
#include "GottaMatch.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFCryptoRawOperations.h"
#include "IPKIFHashContext.h"
#include "Name.h"
#include "OID.h"
#include "PKIFCertStatus.h"
#include "PKIFCertificateNodeEntry.h"
#include "PKIFCertificatePath.h"
#include "PKIFCommonErrors.h"
#include "PKIFKeyMaterial.h"
#include "PKIFNameAndKeyWithScore.h"
#include "PKIFPATHErrors.h"
#include "PKIFPathException.h"
#include "PKIFPathSettings.h"
#include "PKIFTrustRoot.h"
#include "PathResults.h"
#include "PolicyInformation.h"
#include "PolicyInformationSet.h"
#include "PolicyMapping.h"
#include "PolicyMappings.h"
#include "SubjectAltName.h"
#include "SubjectPublicKeyInfo.h"
#include "SubtreeMatch.h"
#include "ToolkitUtils.h"
#include "Name.h"
#include "PKIFCertificatePath.h"
#include "PKIFTrustRoot.h"
#include "PKIFCertificateNodeEntry.h"
#include "PathResults.h"
#include "ooasn1.h"
#include "asn1ber.h"

#include "boost/numeric/conversion/cast.hpp"

#include <iterator>

using boost::numeric_cast;
using boost::bad_numeric_cast;

using namespace std;


using namespace boost;

#ifdef _DEBUG_PATH_POL
#include <iostream>

void DumpPolicySet(
    const char* message, 
    //[in] Vecotr of CPKIFPolicyInformationList objects that will be outputed
    const vector<CPKIFPolicyInformationListPtr>& authSet )
{
    cout << endl << message << endl;

    vector<CPKIFPolicyInformationListPtr>::const_iterator authSetPos;
    vector<CPKIFPolicyInformationListPtr>::const_iterator authSetEnd = authSet.end();
    int rowCount = 0;
    for(authSetPos = authSet.begin(); authSetPos != authSetEnd; ++authSetPos,++rowCount)
    {
        cout << "Row: " << rowCount << endl;
        CPKIFPolicyInformationList::const_iterator authSetPolPos;
        CPKIFPolicyInformationList::const_iterator authSetPolEnd = (*authSetPos)->end();
        for(authSetPolPos = (*authSetPos)->begin(); authSetPolPos != authSetPolEnd; ++authSetPolPos)
        {
            cout << (*authSetPolPos)->PolicyOID()->ToString() << endl;
        }
    }
    if(authSet.empty())
        cout << "Empty" << endl;

}
#endif

bool RowContainsAnyPolicy(
    const CPKIFPolicyInformationListPtr& test)
{
    //if test set has any policy then return true
    if(*g_anyPolicy == *test->back()) 
        return true;
    else
        return false;
}
void ProcessPolicyMapping(
    const CPKIFPolicyMappingsPtr& policyMappings, 
    const std::bitset<3>& indicators,
    vector<CPKIFPolicyInformationListPtr>& authSet)
{
    CPKIFOIDPtr anyPolicyOID(new CPKIFOID(CPKIFStringPtr(new std::string("2.5.29.32.0"))));
    if(indicators[CPKIFPathSettings::POLICY_MAPPING])
    {
        //we are inhibiting mapping
        //10.5.2 c) process any policy mappings extension by, for each mapping identified in the extension, 
        //locate all rows in the authorities-constrained-policy-set table whose [path-depth] column entry 
        //is equal to the issuer domain policy value in the extension and delete the row.

        CPKIFPolicyMappingListPtr policyMappingList = policyMappings->PolicyMappings();
        CPKIFPolicyMappingList::iterator pos;
        CPKIFPolicyMappingList::iterator end = policyMappingList->end();
        CPKIFOIDPtr issuerDomain;
        CPKIFPolicyInformationListPtr piList(new CPKIFPolicyInformationList);
        for(pos = policyMappingList->begin(); pos != end; ++pos)
        {
            issuerDomain = (*pos)->IssuerDomain();

            //added anyPolicy check per 3280 - 12/3/2003
            //ignore mappings involving anyPolicy
            if((*anyPolicyOID == *issuerDomain) || (*anyPolicyOID == *(*pos)->SubjectDomain()))
                throw CPKIFPathException(TOOLKIT_PATH_VALIDATOR,COMMON_INVALID_INPUT,"A certificate includes a policy mapping extension that maps to or from anyPolicy.");
            else
            {   
                CPKIFPolicyInformationPtr tmpPI(new CPKIFPolicyInformation(issuerDomain));
                piList->push_back(tmpPI);
            }
        }

        RowDoesContainPolicyInSet funcObj;
        funcObj.SetPolicySet(piList);
        vector<CPKIFPolicyInformationListPtr>::iterator authSetEnd = remove_if(authSet.begin(), authSet.end(), funcObj);
        authSet.erase(authSetEnd, authSet.end());
    }
    else
    {
        //we are not inhibiting mapping
        //10.5.2. d) process any policy mappings extension by, for each mapping identified in the extension, 
        //locate all rows in the authorities-constrained-policy-set table whose [path-depth] column entry is 
        //equal to the issuer domain policy value in the extension, and write the subject domain policy value 
        //from the extension in the [path-depth+1] column entry of the same row.  If the extension maps an 
        //issuer domain policy to more than one subject domain policy, then the affected row is copied and the 
        //new entry added to each row.  If the value in authorities-constrained-policy-set[0, path-depth] is 
        //any-policy, then write each issuer domain policy identifier from the policy mappings extension in the 
        //[path-depth] column, making duplicate rows as necessary and retaining qualifiers if they are present, 
        //and write the subject domain policy value from the extension in the [path-depth+1] column entry of 
        //the same row.

        //create a list containing all mappings for a given issuer domain
        CIssuerDomainMappingList idml;
        CPKIFPolicyMappingListPtr policyMappingList = policyMappings->PolicyMappings();
        CPKIFPolicyMappingList::iterator pos;
        CPKIFPolicyMappingList::iterator end = policyMappingList->end();
        for(pos = policyMappingList->begin(); pos != end; ++pos)
        {
            //added anyPolicy check per 3280 - 12/3/2003
            //ignore mappings involving anyPolicy
            if((*anyPolicyOID == *(*pos)->IssuerDomain()) || (*anyPolicyOID == *(*pos)->SubjectDomain()))
                throw CPKIFPathException(TOOLKIT_PATH_VALIDATOR,COMMON_INVALID_INPUT,"A certificate includes a policy mapping extension that maps to or from anyPolicy.");
            else
                idml.AddMapping(*pos);
        }

        bool zerothRowContainsAnyPolicy = false;
        CPKIFPolicyInformationPtr anyPolicy(new CPKIFPolicyInformation(anyPolicyOID));
        if(!authSet.empty() && !authSet.front()->empty() && *anyPolicy == *authSet.front()->back())
            zerothRowContainsAnyPolicy = true;

        struct IssuerDomainMappingList* list = idml.GetList();
        while(NULL != list)
        {
            //10.5.2 d)process any policy mappings extension by, for each mapping identified in the extension, 
            //locate all rows in the authorities-constrained-policy-set table whose [path-depth] column entry 
            //is equal to the issuer domain policy value in the extension, and write the subject domain policy 
            //value from the extension in the [path-depth+1] column entry of the same row.  If the extension 
            //maps an issuer domain policy to more than one subject domain policy, then the affected row is 
            //copied and the new entry added to each row.  If the value in 
            //authorities-constrained-policy-set[0, path-depth] is any-policy, then write each issuer domain 
            //policy identifier from the policy mappings extension in the [path-depth] column, making duplicate 
            //rows as necessary and retaining qualifiers if they are present, and write the subject domain 
            //policy value from the extension in the [path-depth+1] column entry of the same row.           

            //vector<CPKIFPolicyInformationListPtr>::iterator authSetPos;
            //vector<CPKIFPolicyInformationListPtr>::iterator authSetEnd = authSet.end();
            //for(authSetPos = authSet.begin(); authSetPos != authSetEnd; authSetPos++)
            for(unsigned int ii = 0; ii < authSet.size(); ii++)
            {
                CPKIFPolicyInformationListPtr curr = authSet[ii];
                if(!curr->empty() && (*(list->m_issuerDomain) == *(curr->back())))
                {
                    list->m_bProcessed = true;
                    CPKIFPolicyInformationListPtr curRow = curr;
                    CPKIFPolicyInformationList::iterator subDomainPos = list->m_subjectDomains.begin();
                    CPKIFPolicyInformationList::iterator subDomainEnd = list->m_subjectDomains.end();

                    CPKIFPolicyInformationPtr tmpPol(new CPKIFPolicyInformation((*subDomainPos)->PolicyOID()));
                    curr->push_back(tmpPol);
                    for(++subDomainPos; subDomainPos != subDomainEnd; ++subDomainPos)
                    {
                        //for all additional mappings to the same issuer copy the row and add it
                        CPKIFPolicyInformationListPtr newRow(new CPKIFPolicyInformationList);
                        copy(curRow->begin(),curRow->end(), back_inserter(*newRow));
                        CPKIFPolicyInformationPtr pathDepthColumn(*subDomainPos);
                        newRow->pop_back();
                        newRow->push_back(pathDepthColumn);
                        authSet.push_back(newRow);
                    }
                }
            }

            list = list->m_next;
        }

        if(zerothRowContainsAnyPolicy)
        {
            CPKIFPolicyInformationListPtr zerothRow = authSet.front();
            struct IssuerDomainMappingList* list = idml.GetList();
            while(NULL != list)
            {
                if(!list->m_bProcessed)
                {
                    //create a row by copying the zeroth row and placing issuer domain in 
                    //the path depth column (i.e. overwriting the last entry)
                    CPKIFPolicyInformationListPtr newRow(new CPKIFPolicyInformationList);
                    copy(zerothRow->begin(),zerothRow->end(), back_inserter(*newRow));
                    CPKIFPolicyInformationPtr pathDepthColumn(list->m_issuerDomain);
                    newRow->pop_back();
                    newRow->push_back(pathDepthColumn);

                    CPKIFPolicyInformationList::iterator subDomainPos = list->m_subjectDomains.begin();
                    CPKIFPolicyInformationList::iterator subDomainEnd = list->m_subjectDomains.end();

                    for(; subDomainPos != subDomainEnd; ++subDomainPos)
                    {
                        //for each subject domain policy copy the newRow, add the sub domain to
                        //the path depth plus one column and push it into the auth set
                        CPKIFPolicyInformationListPtr newRowWithSubDomain(new CPKIFPolicyInformationList);
                        copy(zerothRow->begin(),zerothRow->end(), back_inserter(*newRowWithSubDomain));
                        CPKIFPolicyInformationPtr pathDepthColumn(list->m_issuerDomain);
                        newRowWithSubDomain->push_back(pathDepthColumn);
                        authSet.push_back(newRowWithSubDomain);
                    }
                }

                list = list->m_next;
            }
        }
    }
#ifdef _DEBUG_PATH_POL
    DumpPolicySet("Dumping authority constrained set leaving ProcessPolicyMapping", authSet);
#endif
}
void AddPoliciesToAuthSet(
    const CPKIFPolicyInformationSetPtr& certPols,
    const std::bitset<3>& indicators,
    vector<CPKIFPolicyInformationListPtr>& authSet, 
    bool isSelfIssued, 
    bool isIntermediate)
{
#ifdef _DEBUG_PATH_POL
    DumpPolicySet("Dumping authority constrained set entering AddPoliciesToAuthSet", authSet);
#endif

    CPKIFPolicyInformationListPtr certPolList = certPols->GetPolicySet();

    CPKIFOIDPtr anyPolicyOID(new CPKIFOID(CPKIFStringPtr(new std::string("2.5.29.32.0"))));
    CPKIFPolicyInformationPtr anyPolicy(new CPKIFPolicyInformation(anyPolicyOID));

    CPKIFPolicyInformationPtr anyPolicyFromCertPolList;

    CPKIFPolicyInformationList::iterator currentPolicy;
    CPKIFPolicyInformationList::iterator end = certPolList->end();
    bool foundPolicy = false, foundAnyPolicy = false, zerothRowContainsAnyPolicy = false;
    vector<CPKIFPolicyInformationListPtr>::iterator authSetPos, authSetEnd;
    for(currentPolicy = certPolList->begin(); currentPolicy != end; ++currentPolicy)
    {
        zerothRowContainsAnyPolicy = false;
        if(!authSet.empty() && *anyPolicy == *authSet.front()->back())
            zerothRowContainsAnyPolicy = true;

        //10.5.1.d) If the certificate policies extension is present, then for each policy, P, 
        //in the extension other than anyPolicy, attach the policy qualifiers associated with P 
        //to each row in the authorities-constrained-policy-set table whose [path-depth] column 
        //entry contains the value P. If no row in the authorities-constrained-policy-set table 
        //contains P in its [path-depth] column entry but the value in 
        //authorities-constrained-policy-set[0, path-depth] is any-policy, then add a new row 
        //to the table by duplicating the zeroth row and writing the policy identifier P along 
        //with its qualifiers in the [path-depth] column entry of the new row.

        //we don't do any processing of anyPolicy occurances in cert pol extensions
        if(*(*currentPolicy) == *anyPolicy)
        {
            anyPolicyFromCertPolList = *currentPolicy;
            foundAnyPolicy = true;
            continue;
        }

        authSetEnd = authSet.end();
        foundPolicy = false;
        //iterate over all rows in authSet table looking for current policy
        //the "back" element in each row is the "path-depth" column
        for(authSetPos = authSet.begin(); authSetPos != authSetEnd; ++authSetPos)
        {
            if(!(*authSetPos)->empty() && *(*currentPolicy) == *((*authSetPos)->back()))
            {
                //we found a row that matches the current policy
                foundPolicy = true;

                //attach qualifiers
                CPKIFPolicyQualifierListPtr qList = (*currentPolicy)->Qualifiers();
                if(qList != (CPKIFPolicyQualifierList*)NULL && !qList->empty())
                {
                    CPKIFPolicyQualifierListPtr existingQualifiers = (*authSetPos)->back()->Qualifiers();
                    if(existingQualifiers != (CPKIFPolicyQualifierList*)NULL)
                    {
                        //if there are qualifiers already in place - attach all of the 
                        //new qualifiers to the existing ones (if we get duplicates so be it)
                        copy(qList->begin(), qList->end(), back_inserter(*existingQualifiers));
                    }
                    else
                    {
                        //added 12/6/2003
                        CPKIFPolicyQualifierListPtr newQualifiers(new CPKIFPolicyQualifierList);
                        copy(qList->begin(), qList->end(), back_inserter(*newQualifiers));
    
                        //there were no qualifiers and now there are
                        (*authSetPos)->back()->SetQualifiers(newQualifiers);
                    }
                }
            }
        }

        if(!foundPolicy && zerothRowContainsAnyPolicy)
        {
            //if we didn't find the current policy in the path depth column of any row
            //and the zeroth row contains anyPolicy then we duplicate the zeroth row and 
            //overwrite the path depth column with the current policy then attach the altered row.
            CPKIFPolicyInformationListPtr newRow(new CPKIFPolicyInformationList);
            copy(authSet.front()->begin(), authSet.front()->end(), back_inserter(*newRow));
            newRow->pop_back();
            newRow->push_back(*currentPolicy);
            authSet.push_back(newRow);
        }
    }

    //10.5.1 e)  If the certificate policies extension is present and does not include the value 
    //anyPolicy or if the inhibit-any-policy-indicator is set, then delete any row for which the 
    //[path-depth] column entry contains the value any-policy along with any row for which the 
    //[path-depth] column entry does not contain one of the values in the certificate policies 
    //extension.
    //mod to align with technical corrigendum 1: 02/13/03 CRW
    //technical corrigendum 1 item 5: Replace "or if the inhibit-any-policy-indicator is set, then 
    //delete" with "or if the inhibit-any-policy-indicator is set and the certificate is not a 
    //self-issued intermediate certificate, then delete". 
    if(!foundAnyPolicy || (indicators[CPKIFPathSettings::ANY_POLICY] && !(isSelfIssued && isIntermediate)))
    {
        //if the current set of policies did not contain any policy or the inhibit any bit is set
        //then remove any row in the auth set with any policy in path depth column and any row that
        //contains a value not found in certPolList
        vector<CPKIFPolicyInformationListPtr>::iterator end = remove_if(authSet.begin(), authSet.end(), RowContainsAnyPolicy);
        authSet.erase(end, authSet.end());

        RowDoesNotContainPolicyInSet funcObj;
        funcObj.SetPolicySet(certPolList);
        end = remove_if(authSet.begin(), authSet.end(), funcObj);
        authSet.erase(end, authSet.end());
    }
    else if(foundAnyPolicy && !indicators[CPKIFPathSettings::ANY_POLICY])
    {

        //10.5.1 f) If the certificate policies extension is present and includes the value 
        //          anyPolicy and the inhibit-any-policy-indicator is not set, then attach 
        //          the policy qualifiers associated with anyPolicy to each row in the 
        //          authorities-constrained-policy-set table whose [path-depth] column entry 
        //          contains the value any-policy or contains a value that does not appear 
        //          in the certificate policies extension.
        //add qualifiers from anyPolicyFromCertPolList to any row that 
        //contains any policy or a policy not found in the certPolList

        authSetEnd = authSet.end();
        for(authSetPos = authSet.begin(); authSetPos != authSetEnd; ++authSetPos)
        {
            if(!(*authSetPos)->empty())
            {
                //see if the current authSet position is any policy or is not present in the certPolList.  in 
                //either case attach the qualifiers from the anyPolicy entry in certPolList to the row.
                GottaMatch<CPKIFPolicyInformationPtr> gm;
                gm.SetRHS((*authSetPos)->back());
                if(*anyPolicy == *(*authSetPos)->back() || certPolList->end() == find_if(certPolList->begin(), certPolList->end(), gm))
                {
                    //attach qualifiers
                    CPKIFPolicyQualifierListPtr qList = anyPolicyFromCertPolList->Qualifiers();
                    if(qList != (CPKIFPolicyQualifierList*)NULL && !qList->empty())
                    {
                        CPKIFPolicyQualifierListPtr existingQualifiers = (*authSetPos)->back()->Qualifiers();
                        if(existingQualifiers != (CPKIFPolicyQualifierList*)NULL)
                        {
                            //if there are qualifiers already in place - attach all of the 
                            //new qualifiers to the existing ones (if we get duplicates so be it)
                            copy(qList->begin(), qList->end(), back_inserter(*existingQualifiers));
                        }
                        else
                        {
                            //added 12/6/2003
                            CPKIFPolicyQualifierListPtr newQualifiers(new CPKIFPolicyQualifierList);
                            copy(qList->begin(), qList->end(), back_inserter(*newQualifiers));
        
                            //there were no qualifiers and now there are
                            (*authSetPos)->back()->SetQualifiers(newQualifiers);
                        }
                    }
                }
            }
        }
    }

#ifdef _DEBUG_PATH_POL
    DumpPolicySet("Dumping authority constrained set leaving AddPoliciesToAuthSet", authSet);
#endif
}
void CAC_API IntersectSets(
    CPKIFPolicyInformationListPtr& authSetCondensed,
    CPKIFPolicyInformationListPtr& initSet, 
    CPKIFPolicyInformationListPtr& userSet)
{
    //empty the user set
    userSet->clear();

    //set up variables needed when calling find_if
    MatchesPolicy mp;
    CPKIFPolicyInformationList::iterator authBegin = authSetCondensed->begin();
    CPKIFPolicyInformationList::iterator authEnd = authSetCondensed->end();

    //iterate over all policies in the initial policy set and create a list of policies found 
    //in both the initial policy set and authority constrainted set in userSet
    CPKIFPolicyInformationList::iterator initPos;
    CPKIFPolicyInformationList::iterator initEnd = initSet->end();
    for(initPos = initSet->begin(); initPos != initEnd; ++initPos)
    {
        //see if the current policy from the initial policy set is in the auth set
        mp.SetPolicyToMatch(*initPos);
        if(authEnd != find_if(authBegin, authEnd, mp))
        {
            //if it is then add it to the user set
            userSet->push_back(*initPos);
        }
    }
}
void CAC_API IntersectSubtrees(
    CPKIFGeneralSubtreeListPtr& fromExtension, 
    CPKIFGeneralSubtreeListPtr& curTrees, 
    CPKIFGeneralSubtreeListPtr& newSet)
{
    //empty the user set
    newSet->clear();

    if(curTrees->empty())
    {
        //empty means unbounded - set new set to fromExtensions
        newSet = fromExtension;
        return;
    }

    // GIB: Note: now that we support non-DN nameConstraints, the meaning of this
    // match predicate has been inverted. Where before it would return trees
    // that intersect, now it returns trees that are disjoint. This is because
    // IntersectSubtrees now needs to retain the set of subtrees that intersect
    // or are unrelated (i.e. if a DN constraint is imposed by a CA and an
    // rfc822Name constraint is imposed by a subordinate, both must
    // go into the final set)
    // So now we mark known bad subtrees as excluded instead.
    SubtreeMatch isImpossible;

    // find_if will iterate over subtrees pulled from the 
    // PermittedSubtrees extension
    CPKIFGeneralSubtreeList::iterator fromExtBegin = fromExtension->begin();
    CPKIFGeneralSubtreeList::iterator fromExtEnd = fromExtension->end();
    CPKIFGeneralSubtreeList::iterator fromExtTemp = fromExtension->begin();

    // for each subtree in the permitted set, see if any of the ones from the
    // extension are excluded and mark them as such
    CPKIFGeneralSubtreeList::iterator curTreesPos;
    CPKIFGeneralSubtreeList::iterator curTreesEnd = curTrees->end();
    for(curTreesPos = curTrees->begin(); curTreesPos != curTreesEnd; ++curTreesPos)
    {
        isImpossible.SetRHS(*curTreesPos);
        fromExtTemp = find_if(fromExtBegin, fromExtEnd, isImpossible);
        if(fromExtTemp != fromExtEnd)
        {
            // if a subtree that's excluded by the issuer set is found,
            // mark it empty and add it to the new set
            // with different subtree types, invalid ones need to be marked empty rather
            // than simply discarded
            CPKIFGeneralSubtreePtr empty((*fromExtTemp)->ShallowCopy());
            empty->SetEmpty();
            newSet->push_back(empty);
        }
    }
    // if any trees from the extension haven't been marked as empty, add them to
    // the new set
    for(fromExtTemp = fromExtBegin; fromExtTemp != fromExtEnd; ++fromExtTemp)
    {
        CPKIFGeneralSubtreeList::iterator newTreesPos;
        CPKIFGeneralSubtreeList::iterator newTreesEnd = newSet->end();
        bool found = false;
        for(newTreesPos = newSet->begin();!found && newTreesPos != newTreesEnd; ++newTreesPos)
        {
            if(*newTreesPos == *fromExtTemp) {
                found = true;
            }
        }
        if(!found) {
            newSet->push_back(*fromExtTemp);
        }
    }

}
bool IsInSubtree(
    CPKIFGeneralSubtreeListPtr& subtree, 
    CPKIFCertificatePtr& curCert,
    bool bIsPerm)
{
    //This function will return true if either the subject DN is found in a subtree
    //or ANY alt name is found in a subtree.  

    CPKIFGeneralSubtreeList::iterator pos;
    CPKIFGeneralSubtreeList::iterator end = subtree->end();

    CPKIFGeneralSubtree::MatchState subjectMatch = CPKIFGeneralSubtree::NOT_APPLICABLE;
    CPKIFNamePtr subjectName = curCert->Subject();
    if(subjectName != (CPKIFName*)NULL && 0 != strcmp(subjectName->ToString(), ""))
    {
        for(pos = subtree->begin();
            subjectMatch != CPKIFGeneralSubtree::MATCH && pos != end;
            ++pos)
        {
            CPKIFGeneralName::GENNAMETYPE stType = (*pos)->GetBase()->GetType();
            // only check the subject if the subtree is directoryName or rfc822Name
            if(CPKIFGeneralName::DIRECTORYNAME == stType || CPKIFGeneralName::RFC822 == stType)
            {
                CPKIFGeneralSubtree::MatchState tmpState = (*pos)->IsInSubtree(subjectName);
                // never move from NO_MATCH to NOT_APPLICABLE
                if(tmpState != CPKIFGeneralSubtree::NOT_APPLICABLE) subjectMatch = tmpState;
            }
        }
    }

    CPKIFGeneralSubtree::MatchState sanMatch = CPKIFGeneralSubtree::NOT_APPLICABLE;
    CPKIFSubjectAltNamePtr subAltName = curCert->GetExtension<CPKIFSubjectAltName>();
    bool hasSAN = (subAltName != (CPKIFSubjectAltName*) 0);
    if( hasSAN )
    {
        CPKIFGeneralNameList genNames;
        subAltName->GeneralNames(genNames);
        CPKIFGeneralNameList::iterator gnPos;
        CPKIFGeneralNameList::iterator gnEnd = genNames.end();
        for(gnPos = genNames.begin();
            sanMatch != CPKIFGeneralSubtree::MATCH && gnPos != gnEnd;
            ++gnPos)
        {
            end = subtree->end();
            for(pos = subtree->begin();
                sanMatch != CPKIFGeneralSubtree::MATCH && pos != end;
                ++ pos)
            {
                try {
                    CPKIFGeneralSubtree::MatchState tmpState = (*pos)->IsInSubtree((*gnPos));
                    // never move from NO_MATCH to NOT_APPLICABLE
                    if(tmpState != CPKIFGeneralSubtree::NOT_APPLICABLE)
                        sanMatch = tmpState;
                }catch(CPKIFException &pe){
                    // GIB 4/20/2006: The code that was here before set the flag to true
                    // if the subjectAltName was unsupported (i.e. behaved as if it wasn't present
                    // Given the refactoring of this function, doing nothing now represents
                    // the same behavior.
                    // We may want to log the fact that an unsupported name type was
                    // encountered now
                    if(bIsPerm)
                        throw pe;
                }
            }
        }
    }
    if(sanMatch == CPKIFGeneralSubtree::NO_MATCH || subjectMatch == CPKIFGeneralSubtree::NO_MATCH)
        return false;
    
    return true;
}
bool CheckNameConstraints(
    CPKIFCertificatePtr& curCert, 
    CPKIFGeneralSubtreeListPtr& permSubtrees, 
    CPKIFGeneralSubtreeListPtr& exclSubtrees, 
    bool permSubtreesHasBeenSet)
{
    //added empty check 12/3/2003
    if(exclSubtrees && !exclSubtrees->empty() && IsInSubtree(exclSubtrees, curCert, false))
        return false;

    if(!permSubtrees || (permSubtrees->empty() && !permSubtreesHasBeenSet))
        return true;
    else
        return IsInSubtree(permSubtrees, curCert, true);
}

//removed export declarations 8/18/2004
bool IsEmpty(CPKIFCertificateNodeListWithSourceInfoPtr& node)
{
    return node->empty();
}
bool IsEmptyNameAndKey(
    CPKIFNameAndKeyWithScoreListPtr& node)
{
    return node->empty();
}
bool IsNullCertificateSourceList(CPKIFCertificateSourceListPtr& node)
{
    return node == (CPKIFCertificateSourceList*)NULL;
}


bool _GetHashOfToBeSignedCert(
    const CPKIFCertificate& cert, 
    IPKIFCryptoMisc* cryptoMisc, 
    PKIFCRYPTO::HASH_ALG hashAlg, 
    unsigned char* hashResult, 
    int* hashResultLen)                       //output, input/output
{
    int stat = ASN_OK;

    if(NULL == cryptoMisc || NULL == hashResult)
        throw CPKIFPathException(TOOLKIT_PATH_VALIDATOR,COMMON_INVALID_INPUT,"Invalid input passed to certificate hash calculation function");

    //get a pointer to the encoded CRL and the length of the encoded CRL
    CPKIFBufferPtr certBuf = cert.Encoded();
    int length = certBuf->GetLength();

    if(0 == length)
        throw CPKIFPathException(TOOLKIT_PATH_VALIDATOR,COMMON_INVALID_INPUT,"Empty CRL passed to CRL hash calculation function");

    //prepare an OOCTXT object with the CRL buffer and length
    OOCTXT ctxt;
    initContext (&ctxt);
    setBERDecBufPtr(&ctxt, certBuf->GetBuffer(), length, NULL, NULL);
    OOCTXT* pctxt = &ctxt;

    //parse the first sequence (SIGNED macro)
    stat = matchTag (pctxt, TM_UNIV|TM_CONS|16, &length, XM_ADVANCE);
    if (stat != ASN_OK)
    {
        freeEncodeBuffer(&ctxt);
        memFreeAll(&ctxt);
        return false;
    }

    //save the offset
    size_t byteIndex = ctxt.buffer.byteIndex;

    //parse the next sequence to get the length
    stat = matchTag (pctxt, TM_UNIV|TM_CONS|16, &length, XM_ADVANCE);
    if (stat != ASN_OK)
    {
        freeEncodeBuffer(&ctxt);
        memFreeAll(&ctxt);
        return false;
    }

    //set the pointer to the offset collected above and the length to the length
    //returned by the second parse operation plus the offset difference.  this is the
    //to be signed CRL to pass to the hash function below.
    unsigned char* p = (unsigned char*)ctxt.buffer.data + byteIndex; 

    size_t tmpST = ctxt.buffer.byteIndex - byteIndex;
    unsigned int tmpUI = 0;

    try {
        tmpUI = numeric_cast<unsigned int>(tmpST);
    }catch(bad_numeric_cast &) {
        throw CPKIFException(TOOLKIT_PATH, COMMON_INVALID_INPUT, "Byte offset difference too large.");
    }

    length += (tmpUI);

    IPKIFHashContext* hash = NULL;
    try
    {
        //create a hash object, pass the buffer and length we calculated and obtain the result
        hash = cryptoMisc->HashInit(hashAlg);
        cryptoMisc->HashUpdate(hash, p, length);
        cryptoMisc->HashFinal(hash, (unsigned char*)hashResult, hashResultLen);
    }
    catch(CPKIFException& e)
    {
        if(NULL != hash)
            delete hash;

        //clean up the context
        freeEncodeBuffer(&ctxt);
        memFreeAll(&ctxt);

        throw e;
    }

    //clean up the hash
    delete hash; 

    //clean up the context
    freeEncodeBuffer(&ctxt);
    memFreeAll(&ctxt);

    return true;
}

//utility function to walk a path and validate all certs.  assumes the path is constructed
//as follows: trust root -> begin -> next -> ... -> end where each cert is verified using the 
//cert to the left in the diagram.  For clarity, root -> ICA1 (issued by root) -> ICA2 (issued by ICA1) -> EE (issued by ICA2)
bool CAC_API PathSigChecker(
    const CPKIFCertificatePath& path, 
    IPKIFCryptoRawOperations* crypto, 
    IPKIFCryptoMisc* cryptoMisc, 
    CPKIFPathValidationResults& results)
{
    //check the input - we need two interfaces here
    if(NULL == crypto || NULL == cryptoMisc)
    {
        RAISE_PATH_EXCEPTION("NULL crypto or cryptoMisc parameter.", TOOLKIT_PATH_VALIDATOR, COMMON_INVALID_INPUT, NULL)
    }

    //get the list of certs that comprise the path
    CPKIFCertificateNodeList certNodeList;
    path.GetPath(certNodeList);

    //make sure the list is not NULL and is not empty
    if(0 == certNodeList.size())
    {
        RAISE_PATH_EXCEPTION("Empty certificate path parameter.", TOOLKIT_PATH_VALIDATOR, COMMON_INVALID_INPUT, NULL)
    }

    //declare some variables
    CPKIFCertificatePtr curCert;
    //IPKIFNameAndKeyPtr prevCert = NULL;
    IPKIFNameAndKeyPtr prevCert;
    IPKIFTrustAnchorPtr trustRoot;

    //get the trust root from the path
    path.GetTrustRoot(trustRoot);
    if(trustRoot == (IPKIFTrustAnchor*)NULL)
    {
        RAISE_PATH_EXCEPTION("Path does not specify a trust root.", TOOLKIT_PATH_VALIDATOR, PATH_TRUST_ROOT_NOT_SET, NULL)
    }

    //retrieve a cert from the trust root to serve as the first "previous cert" for the loop below
    //CPKIFTrustRoot* ta = dynamic_cast<CPKIFTrustRoot*>(&(*(trustRoot)));
    //if(ta != NULL)
    //{
    //  ta->GetCert(prevCert);
    //  if(prevCert == (CPKIFCertificate*)NULL)
    //  {
    //      RAISE_PATH_EXCEPTION("Trust root is not a certificate.", TOOLKIT_PATH_VALIDATOR, PATH_TRUST_ROOT_NO_CERT, NULL)
    //  }
    //}

    //prevCert = dynamic_cast<IPKIFNameAndKey*>(&(*(trustRoot)));
    prevCert = boost::dynamic_pointer_cast<IPKIFNameAndKey, IPKIFTrustAnchor>(trustRoot);

    //working params stuff
    CPKIFAlgorithmIdentifierPtr workingParams = prevCert->GetSubjectPublicKeyInfo()->alg();
    AlgClass workingAlg = GetAlgClass(workingParams);

    //iterate over all certs in the list verifying each signature using the previous cert
    CPKIFCertificateNodeList::iterator pos;
    CPKIFCertificateNodeList::iterator end = certNodeList.end();
    for(pos = certNodeList.begin(); pos != end; ++pos)
    {
        curCert = (*pos)->GetCert();
        CPKIFCertStatusPtr status = (*pos)->GetStatus();

        //set up some variables for use in calculating hash of CRL (alg will be set up below)
        char hashResult[MAXHASH];
        int nResultLen = MAXHASH;
        PKIFCRYPTO::HASH_ALG hashAlg = PKIFCRYPTO::SHA1;

        CPKIFAlgorithmIdentifierPtr prevCertSigAlg = prevCert->GetSubjectPublicKeyInfo()->alg();
        CPKIFAlgorithmIdentifierPtr curCertSigAlg = curCert->SignatureAlgorithm();
        AlgClass prevAC = GetAlgClass(prevCertSigAlg);
        AlgClass curAC = GetAlgClass(curCertSigAlg);
        if(prevAC != curAC)
        {
            status->SetDiagnosticCode(PATH_SIGNATURE_VERIFICATION_FAILED);
            return false;
        }

        //for now we are supporting MD5 and SHA1 only adjust the below code accordingly when and if that changes
        CPKIFAlgorithmIdentifierPtr sigAlg = curCert->SignatureAlgorithm();
        CPKIFOIDPtr aTmpOID = sigAlg->oid();
        if(!GetCACHashAlg(aTmpOID/*sigAlg->oid()*/, &hashAlg))
            throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER, COMMON_UNSUPPORTED_ALG);

        //obtain the hash of the to-be-signed CRL
        if(!_GetHashOfToBeSignedCert(*curCert, cryptoMisc, hashAlg, (unsigned char*)hashResult, &nResultLen))
            return false;
        
        //get the cert signature in a buffer
        CPKIFBufferPtr sigBuf = curCert->Signature();
        CPKIFKeyMaterial key;
        CPKIFTrustRootPtr tmpTA = dynamic_pointer_cast<CPKIFTrustRoot, IPKIFNameAndKey>(prevCert);
        if(tmpTA != (CPKIFTrustRoot*)NULL)
        {
            CPKIFCertificatePtr tmpCert;
            tmpTA->GetCert(tmpCert);
            if(tmpCert != (CPKIFCertificate*)NULL)
            {
                CPKIFBufferPtr certBuf = tmpCert->Encoded();
                key.SetCertificate(certBuf->GetBuffer(), certBuf->GetLength());
            }
        }
        else
        {
            CPKIFCertificatePtr tmpCert = dynamic_pointer_cast<CPKIFCertificate, IPKIFNameAndKey>(prevCert);
            if(tmpCert != (CPKIFCertificate*)NULL)
            {
                CPKIFBufferPtr certBuf = tmpCert->Encoded();
                key.SetCertificate(certBuf->GetBuffer(), certBuf->GetLength());
            }
        }

        // GCC doesn't see the return value of GetSubjectPublicKeyInfo as a reference when included inline
        CPKIFSubjectPublicKeyInfoPtr spki = prevCert->GetSubjectPublicKeyInfo();
        key.SetSubjectPublicKeyInfo(spki);
        key.SetWorkingParameters(workingParams);

        //see if it verifies
        if(!crypto->Verify(key, (unsigned char*)hashResult, nResultLen, (unsigned char*)sigBuf->GetBuffer(), sigBuf->GetLength(), hashAlg))
        {
            results.SetCertificate(*pos);
            status->SetDiagnosticCode(PATH_SIGNATURE_VERIFICATION_FAILED);
            return false;
        }
        else
            status->SetSignatureVerified(true);

        //prevCert = dynamic_cast<IPKIFNameAndKey*>(&(*(curCert)));
        prevCert = dynamic_pointer_cast<IPKIFNameAndKey, CPKIFCertificate>(curCert);
        CPKIFAlgorithmIdentifierPtr prevAlgParams = prevCert->GetSubjectPublicKeyInfo()->alg();
        if(workingAlg != GetAlgClass(prevAlgParams))
        {
            //if the alg type changed then we need to clear the working parameters
            CPKIFAlgorithmIdentifierPtr tmpAI;
            workingParams = tmpAI;
            workingAlg = GetAlgClass(prevAlgParams); //added 12/2/2003
        }
        //if the alg class is the same - see if the most recent cert has params
        //if it does use them - if not stick with the ones that were previously set
        if(prevCert->GetSubjectPublicKeyInfo()->alg()->hasParameters())
            workingParams = prevAlgParams;
    }

    //the path has earned another check mark
    results.SetCertSignaturesVerified(true);
    results.SetWorkingParams(workingParams);

    return true;
}
void CAC_API FindErrorAndSetOnResults(
    const CPKIFCertificatePath& path, 
    CPKIFPathValidationResults& results)
{
    CPKIFCertificateNodeList pathList;
    path.GetPath(pathList);
    bool bStatusSet = false;
    CPKIFCertificateNodeList::iterator pathPos;
    CPKIFCertificateNodeList::iterator pathEnd = pathList.end();
    for(pathPos = pathList.begin(); pathPos != pathEnd; ++pathPos)
    {
        CPKIFCertStatusPtr status = (*pathPos)->GetStatus();
        if(status)
        {
            if(results.GetRevocationStatusMostSevere() > status->GetRevocationStatus())
            {
                results.SetRevocationStatusMostSevere(status->GetRevocationStatus());

                //we want to avoid setting revocation not determined if something more interesting
                //is set but want revoked to be there always
                if(REVOKED == status->GetRevocationStatus() && 0 != status->GetDiagnosticCode())
                {
                    results.SetCertificate(*pathPos);
                    results.SetCertStatus(status);
                    bStatusSet = true;
                }
            }
            if(!bStatusSet && 0 != status->GetDiagnosticCode())
            {               
                results.SetCertificate(*pathPos);
                results.SetCertStatus(status);
                bStatusSet = true;
            }
        }
    }
}