CACCMSUtils.cpp

Go to the documentation of this file.

#include "PKIFCMSUtils.h"
#include "PKIFMemoryUtils.h"
#include "private/PrivatePKIFCMSUtils.h"
#include "Attribute.h"
#include "Certificate.h"
#include "KeyUsage.h"
#include "OID.h"
#include "AttrMatch.h"
#include "AlgorithmIdentifier.h"
#include "MessageDigestAttribute.h"
#include "ContentTypeAttribute.h"
#include "SignerInfo.h"
#include "IssuerAndSerialNumber.h"
#include "SubjectKeyIdentifier.h"
#include "SubjectPublicKeyInfo.h"
#include "Name.h"
#include "KEKRecipInfoDetails.h"
#include "CountersignatureAttribute.h"

#include "PKIFCertificateNodeEntry.h"
#include "PathResults.h"
#include "ToolkitUtils.h"
#include "components.h"
#include "PKIFMessageException.h"
#include "PKIFCommonErrors.h"
#include "ASN1Helper.h"
#include "Buffer.h"
#include "OID.h"
#include "IPKIFColleague.h"
#include "IPKIFCryptoKeyAgree.h"
#include "ParallelHash.h"
#include "PKIFCMSMessageMemoryHelper.h"
#include "PKIFFuncStorage.h"
#include "PKIFAlgorithm.h"

#include "PKIX1Algorithms88.h"
#include "CryptographicMessageSyntax2004.h"
#include "ECC-CMS.h"

#include "IPKIFCryptoKeyIDOperations.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFCryptoRawOperations.h"
#include "IPKIFPathBuild.h"
#include "IPKIFPathValidate.h"
#include "IPKIFHashContext.h"
#include "IPKIFKeyAgreeContext.h"

#include "PKIFCryptoPPUtils.h"

#include "SignedData.h"

#include "PKIFCAPIErrors.h"
#include "PKIFCryptoPPErrors.h"
#include "PKIFNSSErrors.h"
using namespace std;

void PKIFCMS_API keyUsageChecker_Signature(
    const CPKIFCertificateNodeEntryPtr& certNode,
    CPKIFPathValidationResults& results,
    CertificateType type)
{
    if(EE == type)
    {
        CPKIFCertificatePtr curCert = certNode->GetCert();
        CPKIFKeyUsagePtr keyUsage = curCert->GetExtension<CPKIFKeyUsage>();
        if(keyUsage != (CPKIFKeyUsage*)NULL && (keyUsage->DigitalSignature() || keyUsage->NonRepudiation()))
        {
            CPKIFX509ExtensionPtr keyUsage2 = keyUsage;
            certNode->MarkExtensionAsProcessed(keyUsage2);
        }
    }
}
void PKIFCMS_API keyUsageChecker_Encryption(
    const CPKIFCertificateNodeEntryPtr& certNode,
    CPKIFPathValidationResults& results,
    CertificateType type)
{
    if(EE == type)
    {
        CPKIFCertificatePtr curCert = certNode->GetCert();
        CPKIFKeyUsagePtr keyUsage = curCert->GetExtension<CPKIFKeyUsage>();
        if(keyUsage != (CPKIFKeyUsage*)NULL && keyUsage->KeyEncipherment())
        {
            CPKIFX509ExtensionPtr keyUsage2 = keyUsage;
            certNode->MarkExtensionAsProcessed(keyUsage2);
        }
    }
}

void PKIFCMS_API keyUsageChecker_KeyAgreement(
    const CPKIFCertificateNodeEntryPtr& certNode,
    CPKIFPathValidationResults& results,
    CertificateType type)
{
    if(EE == type)
    {
        CPKIFCertificatePtr curCert = certNode->GetCert();
        CPKIFKeyUsagePtr keyUsage = curCert->GetExtension<CPKIFKeyUsage>();
        if(keyUsage != (CPKIFKeyUsage*)NULL && keyUsage->KeyAgreement())
        {
            CPKIFX509ExtensionPtr keyUsage2 = keyUsage;
            certNode->MarkExtensionAsProcessed(keyUsage2);
        }
    }
}
#if 0

void PKIFCMS_API CopyOID(
    ASN1OBJID* dest, 
    ASN1OBJID* src)
{
    dest->numids = src->numids;
    for(unsigned int ii = 0; ii < src->numids; ++ii)
        dest->subid[ii] = src->subid[ii];
}
#endif

CPKIFAlgorithm * GetCACHashAlg(
    CACX509V3AlgorithmIdentifier* alg
    )
{
    if(0 == alg) return 0;

    CPKIFOIDPtr algOID(new CPKIFOID(alg->algorithm.subid, alg->algorithm.numids));
    CPKIFAlgorithm * pkifAlg = CPKIFAlgorithm::GetAlg(algOID);
    if (*(pkifAlg->OID()) != *algOID) {
        return 0;
    }
    return pkifAlg;
}
CPKIFAlgorithm * GetCACSymAlg(
    CACX509V3AlgorithmIdentifier* alg 
)
{
    if(0 == alg) return 0;

    CPKIFOIDPtr algOID(new CPKIFOID(alg->algorithm.subid, alg->algorithm.numids));
    CPKIFAlgorithm * pkifAlg = CPKIFAlgorithm::GetAlg(algOID);
    if (*(pkifAlg->OID()) != *algOID) {
        return 0;
    }
    return pkifAlg;
}
bool ModeRequiresIV(
    PKIFCRYPTO::SYMKEY_MODE mode)
{
    if(PKIFCRYPTO::ECB == mode)
        return false;
    else
        return true;
}




// Destructor

void EncodeDSASignature(
    unsigned char* sig,
    int nSigLen, 
    unsigned char** sigData,
    int* numocts)
{
    if(NULL == sig || 0 == nSigLen || MAXHASH*2 < nSigLen || NULL == sigData || NULL == numocts || 0 != nSigLen%2)
        throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, COMMON_INVALID_INPUT, "An input to EncodeDSASignature was invalid."); 

    //MAXHASH instead of MAXHASH/2 because it'll be an ASCII HEX input
    const int asciiHexHash = (MAXHASH*2) + 5;
    char r[asciiHexHash]; memset(r, 0, asciiHexHash); r[0] = '0'; r[1] = 'x'; //memsets added 11/7/2003
    char s[asciiHexHash]; memset(s, 0, asciiHexHash); s[0] = '0'; s[1] = 'x'; 
    
    //added this offset business 11/7/2003
    int offset = 2;
    if(sig[0] >= (unsigned char)0x80)
    {
        r[2] = '0'; ++offset;
        r[3] = '0'; ++offset;
    }
    btoa((char*)sig, r+offset, nSigLen/2);

    offset = 2;
    if(sig[(nSigLen/2)] >= (unsigned char)0x80)
    {
        s[2] = '0'; ++offset;
        s[3] = '0'; ++offset;
    }
    btoa((char*)sig+(nSigLen/2), s+offset, nSigLen/2);
    
    Dss_Sig_Value dssSigVal; 
    dssSigVal.r = r;
    dssSigVal.s = s;

    CACASNWRAPPER_CREATE(Dss_Sig_Value, tmpPDU);
    ASN1OpenType* data1 = tmpPDU.Encode(&dssSigVal);

    *numocts = data1->numocts;
    *sigData = new unsigned char[data1->numocts + 1];
    memcpy(*sigData, data1->data, data1->numocts);
    delete data1;//added 11/9
}
void AddSignedAttributes(
    unsigned char* hashResult, 
    int nHashResult, 
    CPKIFOIDPtr& eContentType, 
    CPKIFAttributeList& sas)
{
    //first, see if there's any work to do (i.e. if the content type is not id-data and/or
    //signed attributes are already present we have work to do - else return)
    if(*g_data == eContentType && sas.empty())
        return;

    //next look through the collected attributes and see if we have message digest and/or content type
    //attributes already present
    bool foundMD = false, foundCT = false;

    AttrMatch attrSearch;
    attrSearch.SetRHS(g_messageDigestAttribute);
    CPKIFAttributeList::iterator end = sas.end();
    if(end != find_if(sas.begin(), sas.end(), attrSearch))
        foundMD = true;
    
    attrSearch.SetRHS(g_contentTypeAttribute);
    if(end != find_if(sas.begin(), sas.end(), attrSearch))
        foundCT = true;

    if(!foundMD)
    {
        CPKIFMessageDigestAttributePtr mdAttr(new CPKIFMessageDigestAttribute());
        CPKIFBufferPtr mdBuf(new CPKIFBuffer(hashResult, nHashResult));
        mdAttr->SetMessageDigest(mdBuf);
        sas.push_back(mdAttr);
    }

    if(!foundCT)
    {
        CPKIFContentTypeAttributePtr ctAttr(new CPKIFContentTypeAttribute());
        ctAttr->SetContentType(eContentType);
        sas.push_back(ctAttr);
    }
}
void SetupAttributesInObjectiveStructure(
    CPKIFAttributeList& attrs,
    DList& objAttrs)
{
    objAttrs.count = 0;
    objAttrs.head = NULL;
    objAttrs.tail = NULL;

    DListNode* cur = NULL;
    CPKIFAttributeList::iterator sasPos;
    CPKIFAttributeList::iterator sasEnd = attrs.end();
    for(sasPos = attrs.begin(); sasPos != sasEnd; ++sasPos)
    {
        CPKIFBufferList bl;
        (*sasPos)->GetValues(bl);

        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        CPKIFBufferList::iterator bufPos;
        DListNode* cur2 = NULL;

        CACCMSAttribute* attr = new CACCMSAttribute;
        CPKIFStringPtr str(new std::string((*sasPos)->GetOID()->ToString()));
        ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);
        CopyOID(&attr->attrType, tmpOid);
        if(tmpOid)
            delete tmpOid;
        //CopyOID(&attr->attrType, (*sasPos)->GetOID()->raw());

        DList* attrVals = new DList;//;&attr->attrValues;
        attrVals->count = 0;
        attrVals->head = NULL;
        attrVals->tail = NULL;

        cur->data = attr;
        CPKIFBufferList::iterator bufEnd = bl.end();
        for(bufPos = bl.begin(); bufPos != bufEnd; ++bufPos)
        {
            if(NULL == cur2)
            {
                NEW_NODE(cur2)
            }
            else
            {
                NEW_NEXT_AND_ADVANCE(cur2)
            }

            ASN1OpenType* tmpOT = new ASN1OpenType;
            tmpOT->numocts = (*bufPos)->GetLength();
            tmpOT->data = new unsigned char[tmpOT->numocts];
            memcpy((void*)tmpOT->data, (*bufPos)->GetBuffer(), tmpOT->numocts);
            cur2->data = tmpOT;

            SET_HEAD_TAIL_INCREMENT((*attrVals), cur2)
        }

        SET_HEAD_TAIL_INCREMENT(objAttrs, cur)

        CACASNWRAPPER_CREATE(CACCMSAttributeValues, avs);
        ASN1OpenType* aot = avs.Encode(attrVals);

        attr->attrValues.data = new unsigned char[aot->numocts];
        // XXX TODO (REVIEW): Make sure this cast is decent and there's not a better function to use
        memcpy((void *)attr->attrValues.data,aot->data,aot->numocts);
        attr->attrValues.numocts = aot->numocts;
        delete aot;

        DListNode* cur = NULL, *tmp = NULL;
        cur = attrVals->head;
        while(NULL != cur)
        {
            ASN1OpenType* tmpOT = (ASN1OpenType*)cur->data;
            if(NULL != tmpOT->data)
                delete[] tmpOT->data;

            delete tmpOT;

            tmp = cur->next;
            delete cur;
            cur = tmp;
        }

        if(attrVals != NULL)
            delete attrVals;

        //XXX***CLEAN UP ATTRVALS

    }
}
void GetSignerInfo(
    CACCMSSignerInfo* tmpSignerInfo,
    CPKIFSignerInfoPtr& siPos, 
    unsigned char* hashResult, 
    int nHashResult, 
    IPKIFMediatorPtr m,
    CPKIFOIDPtr& eContentType,
    PKIFCRYPTO::HASH_ALG hashAlg,
    bool useSKIDIfPresent)
{
    IPKIFCryptoKeyIDOperations* cm = m->GetMediator<IPKIFCryptoKeyIDOperations>();
    IPKIFCryptoMisc* cMisc = m->GetMediator<IPKIFCryptoMisc>();

    //The hash value that is passed in is the hash of the data that is covered by the signed data
    //object that is parent to the signer info passed in.  This function will prepare the signer info,
    //including signature generation and attribute set-up.  Essentially, there are two scenarios that we support
    //(hopefully that's all there are) for signed attribute preparation:
    //  -if a signed attribute has been included by the caller, the target of the signature is the DER encoding 
    //      of the signed attributes.  In such cases the signed attributes must include content type and message 
    //      digest, where the message digest is the hash passed to this function.  
    //  - if the type of encapsulated data is not id-data then the content type must be included as a signed
    //      attribute (along with message digest).

    //Get the certificate from the credential and set-up the SignerIdentifer.  The following code AUTOMATICALLY
    //selects the type of signer identifier based on the presence/absence of a subject key ID in the signer's
    //certificate.
    if(!siPos->Decoded())
    {
        if(NULL == hashResult || 0 == nHashResult)
            throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_UNSUPPORTED_ALG, "SignerInfo contains an unsupported hash algorithm or a signer is being added to an object with detached content after encoding.");

        CPKIFCertificatePtr cert = siPos->GetCredential()->GetCertificate();
        CPKIFSubjectKeyIdentifierPtr skid = cert->GetExtension<CPKIFSubjectKeyIdentifier>();
        if(skid != (CPKIFSubjectKeyIdentifier*)NULL && useSKIDIfPresent)
        {
            tmpSignerInfo->version = CACCMSv3; 

            //use skid if present
            tmpSignerInfo->sid.t = 2;
            CPKIFBufferPtr skidBuf = skid->KeyIdentifier();
            tmpSignerInfo->sid.u.subjectKeyIdentifier = new CACCMSSubjectKeyIdentifier;
            tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts = skidBuf->GetLength();
            tmpSignerInfo->sid.u.subjectKeyIdentifier->data = new unsigned char[tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts];
            memcpy((void*)tmpSignerInfo->sid.u.subjectKeyIdentifier->data, skidBuf->GetBuffer(), tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts);
        }
        else
        {
            tmpSignerInfo->version = CACCMSv1; 

            //otherwise use issuer DN and serial number
            tmpSignerInfo->sid.t = 1;
            tmpSignerInfo->sid.u.issuerAndSerialNumber = new CACCMSIssuerAndSerialNumber;
            tmpSignerInfo->sid.u.issuerAndSerialNumber->serialNumber = cert->SerialNumber();

            CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
            CACX509V3Name *tmpName = NULL;
            CPKIFBufferPtr nameBuf = cert->Issuer()->rawName();
            tmpName = objPDU.Decode(nameBuf->GetBuffer(), nameBuf->GetLength());
            //CACX509V3Name *tmpName2 = &tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer;
            //tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer = *tmpName; 
            //CopyName(&tmpName2, *tmpName);
            CopyName(&tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer, *tmpName);
            //tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer = *cert->Issuer()->rawName();
        }

        tmpSignerInfo->m.signedAttrsPresent = 0;

        //de-hardcoded usage of SHA1 - 11/06/2003
        CPKIFStringPtr str(new std::string(siPos->GetDigestAlg()->oid()->ToString())); 
        ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);
        CopyOID(&tmpSignerInfo->digestAlgorithm.algorithm, tmpOid);
        if(tmpOid)
            delete tmpOid;
        //CopyOID(&tmpSignerInfo->digestAlgorithm.algorithm, siPos->GetDigestAlg()->oid()->raw());
        tmpSignerInfo->digestAlgorithm.m.parametersPresent = 1;
        tmpSignerInfo->digestAlgorithm.parameters.data = nullParams;
        tmpSignerInfo->digestAlgorithm.parameters.numocts = 2;

        {//begin signed attribute block
            CPKIFAttributeList sas;
            siPos->GetSignedAttributes(sas);

            AddSignedAttributes(hashResult, nHashResult, eContentType, sas);
            SetupAttributesInObjectiveStructure(sas, tmpSignerInfo->signedAttrs);
            
            if(!sas.empty())
                tmpSignerInfo->m.signedAttrsPresent = 1;
        }//end signed attribute block

        unsigned char* signThis = hashResult;
        int nSignThisLen = nHashResult;

        HashInfo* hi = NULL;
        if(tmpSignerInfo->m.signedAttrsPresent)
        {
            //fix-up DER encoding of signed attributes

            hi = ComputeSignedAttrHash(tmpSignerInfo, cMisc);

            signThis = hi->m_hashResult;
            nSignThisLen = CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize();
        }

        unsigned char sig[500]; memset(sig, 0, 500);
        int nSigLen = 500;
        try
        {
            cm->Sign(*siPos->GetCredential(), signThis, nSignThisLen, sig, &nSigLen, hashAlg);
        }
        catch(CPKIFException& e)
        {
            if(NULL != hi)
                delete hi;

            std::string reason = "Error generating signature using credential named: ";
            reason.append(siPos->GetCredential()->Name());

            CPKIFMessageException me(TOOLKIT_MESSAGE_ASN, MSG_SIGNATURE_GENERATION_ERROR, reason.c_str());
            me.push_info(e);
            //delete e;
            throw me;
        }

        if(NULL != hi)
            delete hi;

        CPKIFStringPtr anotherStr2; 
        CPKIFAlgorithmIdentifierPtr certAlg = cert->SubjectPublicKeyInfo()->alg();
        if(DSA_CLASS == GetAlgClass(certAlg))
        {
            //need to encode the DSA signature
            EncodeDSASignature(sig, nSigLen, (unsigned char**)&tmpSignerInfo->signature.data, (int*)&tmpSignerInfo->signature.numocts);

            if(PKIFCRYPTO::SHA1 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_dsaWithSHA1->ToString())); 
                anotherStr2 = tmpOidSt;
            }
        }
        else if(RSA_CLASS == GetAlgClass(certAlg))
        {
            tmpSignerInfo->signature.data = new unsigned char[nSigLen];
            memcpy((void*)tmpSignerInfo->signature.data, sig, nSigLen);
            tmpSignerInfo->signature.numocts = nSigLen;

            if(PKIFCRYPTO::MD5 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_md5WithRSAEncryption->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA1 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_sha1WithRSAEncryption->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA224 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_sha224WithRSAEncryption->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA256 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_sha256WithRSAEncryption->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA384 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_sha384WithRSAEncryption->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA512 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_sha512WithRSAEncryption->ToString())); 
                anotherStr2 = tmpOidSt;
            }
        }
        else if(ECDSA_CLASS == GetAlgClass(certAlg))
        {
            EncodeDSASignature(sig, nSigLen, (unsigned char**)&tmpSignerInfo->signature.data, (int*)&tmpSignerInfo->signature.numocts);
            if(PKIFCRYPTO::SHA1 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_ecdsa_sha1->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA224 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_ecdsa_sha224->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA256 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_ecdsa_sha256->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA384 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_ecdsa_sha384->ToString())); 
                anotherStr2 = tmpOidSt;
            }
            else if(PKIFCRYPTO::SHA512 == hashAlg)
            {
                CPKIFStringPtr tmpOidSt(new std::string(g_ecdsa_sha512->ToString())); 
                anotherStr2 = tmpOidSt;
            }
        }
        else
        {
            tmpSignerInfo->signature.data = new unsigned char[nSigLen];
            memcpy((void*)tmpSignerInfo->signature.data, sig, nSigLen);
            tmpSignerInfo->signature.numocts = nSigLen;
        }

        if(!anotherStr2)
        {
            CPKIFStringPtr tmpOidSt(new std::string(certAlg->oid()->ToString())); 
            anotherStr2 = tmpOidSt;
        }
        ASN1OBJID* anotherTmpOid = ConvertStringToASN1OBJID(anotherStr2);
        CopyOID(&tmpSignerInfo->signatureAlgorithm.algorithm, anotherTmpOid);
        if(anotherTmpOid)
            delete anotherTmpOid;
        //CopyOID(&tmpSignerInfo->signatureAlgorithm.algorithm, certAlg->oid()->raw());

        if(certAlg->hasParameters())
        {
            tmpSignerInfo->signatureAlgorithm.m.parametersPresent = 1;

            CPKIFBufferPtr params = certAlg->parameters();
            tmpSignerInfo->signatureAlgorithm.parameters.numocts = params->GetLength();
            tmpSignerInfo->signatureAlgorithm.parameters.data = new unsigned char[tmpSignerInfo->signatureAlgorithm.parameters.numocts];
            memcpy((void*)tmpSignerInfo->signatureAlgorithm.parameters.data, params->GetBuffer(), tmpSignerInfo->signatureAlgorithm.parameters.numocts);
        }
        else
            tmpSignerInfo->signatureAlgorithm.m.parametersPresent = 0;

        tmpSignerInfo->m.unsignedAttrsPresent = 0;
        {//begin unsigned attribute block
            CPKIFAttributeList sas;
            siPos->GetUnsignedAttributes(sas);

            SetupAttributesInObjectiveStructure(sas, tmpSignerInfo->unsignedAttrs);
            
            if(!sas.empty())
                tmpSignerInfo->m.unsignedAttrsPresent = 1;
        }//end unsigned attribute block
    }
    else
    {
        //if the signer info was recovered from an existing message and has a signature then the only change
        //permitted will be to add unsigned attributes
        switch(siPos->GetSignerIdentifierChoice())
        {
        case CPKIFSignerInfo::SKID:
            {
                CPKIFBufferPtr skidBuf = siPos->GetSKID();
                tmpSignerInfo->version = CACCMSv3; 

                //use skid if present
                tmpSignerInfo->sid.t = 2;
                tmpSignerInfo->sid.u.subjectKeyIdentifier = new CACCMSSubjectKeyIdentifier;
                tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts = skidBuf->GetLength();
                tmpSignerInfo->sid.u.subjectKeyIdentifier->data = new unsigned char[tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts];
                memcpy((void*)tmpSignerInfo->sid.u.subjectKeyIdentifier->data, skidBuf->GetBuffer(), tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts);
            }
            break;
        case CPKIFSignerInfo::ISSUERANDSERIAL:
            {
                tmpSignerInfo->version = CACCMSv1; 

                CPKIFIssuerAndSerialNumberPtr issAndSN = siPos->GetIssuerAndSerialNumber();
                CPKIFNamePtr name = issAndSN->GetName();
                const char* sn = issAndSN->GetSerialNumber();

                //otherwise use issuer DN and serial number
                tmpSignerInfo->sid.t = 1;
                tmpSignerInfo->sid.u.issuerAndSerialNumber = new CACCMSIssuerAndSerialNumber;
                tmpSignerInfo->sid.u.issuerAndSerialNumber->serialNumber = sn;
                
                CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
                CACX509V3Name *tmpName = NULL;
                CPKIFBufferPtr nameBuf = name->rawName();
                tmpName = objPDU.Decode(nameBuf->GetBuffer(), nameBuf->GetLength());
                //tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer = *tmpName;
                CopyName(&tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer, *tmpName); 
                //tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer = *name->rawName();
            }
            break;
        default:
            throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, COMMON_UNSUPPORTED_CHOICE, "Unsupported signer info choice");
        }

        //de-hardcoded usage of SHA1 - 12/09/2003
        CPKIFStringPtr str2(new std::string(siPos->GetDigestAlg()->oid()->ToString())); 
        ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str2);
        CopyOID(&tmpSignerInfo->digestAlgorithm.algorithm, tmpOid);
        if(tmpOid)
            delete tmpOid;
        //CopyOID(&tmpSignerInfo->digestAlgorithm.algorithm, siPos->GetDigestAlg()->oid()->raw());
        tmpSignerInfo->digestAlgorithm.m.parametersPresent = 1;
        tmpSignerInfo->digestAlgorithm.parameters.data = nullParams;
        tmpSignerInfo->digestAlgorithm.parameters.numocts = 2;

        tmpSignerInfo->m.signedAttrsPresent = 0;

        {//begin signed attribute block
            CPKIFAttributeList sas;
            siPos->GetSignedAttributes(sas);

            AddSignedAttributes(hashResult, nHashResult, eContentType, sas);
            SetupAttributesInObjectiveStructure(sas, tmpSignerInfo->signedAttrs);
            
            if(!sas.empty())
                tmpSignerInfo->m.signedAttrsPresent = 1;
        }//end signed attribute block

        CPKIFAlgorithmIdentifierPtr sigAlg = siPos->GetSignatureAlgorithm();
        CPKIFBufferPtr sig = siPos->GetSignature();

        tmpSignerInfo->signature.numocts = sig->GetLength();
        tmpSignerInfo->signature.data = new unsigned char[tmpSignerInfo->signature.numocts];
        memcpy((void*)tmpSignerInfo->signature.data, sig->GetBuffer(), tmpSignerInfo->signature.numocts);


        CPKIFStringPtr thurdStr(new std::string(sigAlg->oid()->ToString())); 
        ASN1OBJID* thirdTmpOid = ConvertStringToASN1OBJID(thurdStr);
        CopyOID(&tmpSignerInfo->signatureAlgorithm.algorithm, thirdTmpOid);
        if(thirdTmpOid)
            delete thirdTmpOid;
        //CopyOID(&tmpSignerInfo->signatureAlgorithm.algorithm, sigAlg->oid()->raw());

        if(sigAlg->hasParameters())
        {
            CPKIFBufferPtr algParams = sigAlg->parameters();
            tmpSignerInfo->signatureAlgorithm.m.parametersPresent = 1;
            tmpSignerInfo->signatureAlgorithm.parameters.numocts = algParams->GetLength();

            tmpSignerInfo->signatureAlgorithm.parameters.data = new unsigned char[tmpSignerInfo->signatureAlgorithm.parameters.numocts];
            memcpy((void*)tmpSignerInfo->signatureAlgorithm.parameters.data, algParams->GetBuffer(), tmpSignerInfo->signatureAlgorithm.parameters.numocts);
        }
        else
        {
            tmpSignerInfo->signatureAlgorithm.m.parametersPresent = 0;
        }

        tmpSignerInfo->m.unsignedAttrsPresent = 0;
        {//begin unsigned attribute block
            CPKIFAttributeList sas;
            siPos->GetUnsignedAttributes(sas);

            SetupAttributesInObjectiveStructure(sas, tmpSignerInfo->unsignedAttrs);
            
            if(!sas.empty())
                tmpSignerInfo->m.unsignedAttrsPresent = 1;
        }//end unsigned attribute block
    }
}
HashInfo* ComputeSignedAttrHash(
    CACCMSSignerInfo* si, 
    IPKIFCryptoMisc* cMisc)
{
    if(si->m.signedAttrsPresent)
    {
        CPKIFAlgorithm * hashAlg = GetCACHashAlg(&si->digestAlgorithm);
        if(!hashAlg)
            return NULL; //unknown hash alg

        OOCTXT ctxt;
        initContext (&ctxt);
        setBEREncBufPtr(&ctxt, NULL, 0);
        OOCTXT* pctxt = &ctxt;

        unsigned char* tmpP = NULL;
        int len = BEREncCACCMSSignedAttributes(pctxt, &si->signedAttrs, ASN1EXPL);
        if(0 < len)
        {
            tmpP = (unsigned char*)getBEREncBufPtr(&ctxt);
        }

        IPKIFHashContext* hc = NULL;
        HashInfo* hi = new HashInfo(); //context field does not matter in this case
        try
        {
            hi->m_hashAlg = hashAlg->HashAlg();
            hc = cMisc->HashInit(hi->m_hashAlg);
            cMisc->HashUpdate(hc, tmpP, len);
            int nResultLen = MAXHASH;
            cMisc->HashFinal(hc, hi->m_hashResult, &nResultLen);
            delete hc;
        }
        catch(CPKIFException& e)
        {
            if(NULL != hc)
                delete hc;

            if(NULL != hi)
                delete hi;
            //freeEncodeBuffer(&ctxt);
            //memFreeAll(&ctxt);
            freeContext(&ctxt);
            throw e;
        }

        //freeEncodeBuffer(&ctxt);
        //memFreeAll(&ctxt);
        freeContext(&ctxt);

        return hi;
    }
    else
        return NULL;
}
bool CompareHashes(
    HashInfo* hi2,
    CACCMSSignerInfo* si)
{
    if(NULL == hi2 || NULL == si || !si->m.signedAttrsPresent)
        return false;

    DListNode* cur = si->signedAttrs.head;
    while(NULL != cur)
    {
        CACCMSAttribute* curAttr = (CACCMSAttribute*)cur->data;
        CPKIFOIDPtr curAttrType(new CPKIFOID(curAttr->attrType.subid, curAttr->attrType.numids));
        if(*g_messageDigestAttribute == *curAttrType)
        {
            CACASNWRAPPER_CREATE(CACCMSAttributeValues, attrValues);
            attrValues.Decode(curAttr->attrValues);

            if(0 != attrValues->count)
            {
                CACCMSAttributeValue* curVal = (CACCMSAttributeValue*)attrValues->head->data;

                OOCTXT ctxt;
                initContext (&ctxt);
                setBERDecBufPtr(&ctxt, curVal->data, curVal->numocts, NULL, NULL);
                OOCTXT* pctxt = &ctxt;

                unsigned char* hashVal = NULL;
                unsigned int hashValLen = 0;

                int stat = decodeDynOctStr (pctxt, (const OSOCTET* *)&hashVal, (OSUINT32 *)&hashValLen, ASN1EXPL, curVal->numocts);
                if (stat != ASN_OK)
                {
                    //freeEncodeBuffer(&ctxt);
                    //memFreeAll(&ctxt);
                    freeContext(&ctxt);
                    throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, ASN1_DECODE_ERROR, "Failed to decode hash value");
                }

                bool match = true;
                if(hi2->m_hashAlg != hashValLen)
                    match = false;

                if(0 != memcmp(hi2->m_hashResult, hashVal, hashValLen))
                    match = false;

                //clean up the context
                //if(hashVal)
                //{
                //  memFreePtr (&ctxt, hashVal);
                //}
                //freeEncodeBuffer(&ctxt);
                //memFreeAll(&ctxt);
                freeContext(&ctxt);

                return match;
            }
        }

        cur = cur->next;
    }

    return false;
}

//*****************************************************************************
//  utility functions
//*****************************************************************************
//compare RID info with info from a cert that is also passed as parameters
bool RIDMatch(
    CACCMSRecipientIdentifier* rid, 
    CPKIFNamePtr& issuer, 
    const char* serial, 
    CPKIFSubjectKeyIdentifierPtr& skid)
{
    //if there's nothing to compare return false
    if(NULL == rid)
        return false;

    switch(rid->t)
    {
    case 1: //issuer and serial
        {
        if(NULL == serial 
            || issuer == (CPKIFName*)NULL 
            || NULL == rid->u.issuerAndSerialNumber
            || NULL == rid->u.issuerAndSerialNumber->serialNumber)
            return false;

        CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
        ASN1OpenType* data1 = objPDU.Encode(&(rid->u.issuerAndSerialNumber->issuer));
        CPKIFBufferPtr tmpBuf;
        if(data1 != NULL)
        {
             tmpBuf = CPKIFBufferPtr(new CPKIFBuffer(data1->data, data1->numocts));
            delete data1;
        }
        CPKIFNamePtr ridName(new CPKIFName(tmpBuf));
        //CPKIFNamePtr ridName(new CPKIFName(rid->u.issuerAndSerialNumber->issuer));
        if(0 == stricmp(rid->u.issuerAndSerialNumber->serialNumber, serial) &&
            *ridName == *issuer)
            return true;
        else
            return false;
        }
        break;
    case 2: //skid
        {
        if(skid == (CPKIFSubjectKeyIdentifier*)NULL 
            || NULL == rid->u.subjectKeyIdentifier
            || NULL == rid->u.subjectKeyIdentifier->data 
            || 0 == rid->u.subjectKeyIdentifier->numocts)
            return false;

        CPKIFBufferPtr skidBuf = skid->KeyIdentifier();

        if(skidBuf == (CPKIFBuffer*)NULL ||
            rid->u.subjectKeyIdentifier->numocts != skidBuf->GetLength())
            return false;

        if(0 == memcmp(skidBuf->GetBuffer(), rid->u.subjectKeyIdentifier->data, rid->u.subjectKeyIdentifier->numocts))
            return true;
        else
            return false;
        }
        break;
    default:
        return false;
    }
}
bool RIDMatch(
    CACCMSKeyAgreeRecipientIdentifier* rid, 
    CPKIFNamePtr& issuer, 
    const char* serial, 
    CPKIFSubjectKeyIdentifierPtr& skid)
{
    //if there's nothing to compare return false
    if(NULL == rid)
        return false;

    switch(rid->t)
    {
    case 1: //issuer and serial
        {
        if(NULL == serial 
            || issuer == (CPKIFName*)NULL 
            || NULL == rid->u.issuerAndSerialNumber
            || NULL == rid->u.issuerAndSerialNumber->serialNumber)
            return false;

        CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
        ASN1OpenType* data1 = objPDU.Encode(&(rid->u.issuerAndSerialNumber->issuer));
        CPKIFBufferPtr tmpBuf;
        if(data1 != NULL)
        {
             tmpBuf = CPKIFBufferPtr(new CPKIFBuffer(data1->data, data1->numocts));
            delete data1;
        }
        CPKIFNamePtr ridName(new CPKIFName(tmpBuf));
        //CPKIFNamePtr ridName(new CPKIFName(rid->u.issuerAndSerialNumber->issuer));
        if(0 == stricmp(rid->u.issuerAndSerialNumber->serialNumber, serial) &&
            *ridName == *issuer)
            return true;
        else
            return false;
        }
        break;
    case 2: //skid (not supporting date and whatnot)
        {
        if(skid == (CPKIFSubjectKeyIdentifier*)NULL 
            || NULL == rid->u.rKeyId->subjectKeyIdentifier.data 
            || 0 == rid->u.rKeyId->subjectKeyIdentifier.numocts)
            return false;

        CPKIFBufferPtr skidBuf = skid->KeyIdentifier();

        if(skidBuf == (CPKIFBuffer*)NULL ||
            rid->u.rKeyId->subjectKeyIdentifier.numocts != skidBuf->GetLength())
            return false;

        if(0 == memcmp(skidBuf->GetBuffer(), rid->u.rKeyId->subjectKeyIdentifier.data, rid->u.rKeyId->subjectKeyIdentifier.numocts))
            return true;
        else
            return false;
        }
        break;
    default:
        return false;
    }
}

//given a credential, a crypto interface pointer and a recipient bag find the recipient info that matches the 
//credential and return decrypted key material.
CPKIFKeyMaterialPtr GetSymmetricKey(
    const CPKIFKEKRecipInfoDetailsPtr& kek,
    IPKIFCryptoRawOperations* cKeyID,
    CACCMSRecipientInfos* ris)
{
    //declare an (initially empty) key material pointer.  this function returns the empty km upon failure
    //or a populated km upon success
    CPKIFKeyMaterialPtr km;

    //sanity check the inputs - if anything is not kosher return the empty km
    if(NULL == ris || 0 == ris->count || kek == (CPKIFKEKRecipInfoDetails*)NULL)
        return km;

    //gather some info about the credential that will be used to decrypt the key
    CPKIFBufferPtr kid = kek->GetKeyIdentifier();
    if(kid == (CPKIFBuffer*)NULL)
        return km;

    //iterate over all of the recipient infos looking for a kekri with a key identifier that matches the kek passed in
    DListNode* cur = ris->head;
    while(NULL != cur)
    {
        CACCMSRecipientInfo* ri = (CACCMSRecipientInfo*)cur->data;

        switch(ri->t)
        {
            case 3: //kekri
            {
                //get pointer to kekri stucture
                CACCMSKEKRecipientInfo* kekri = ri->u.kekri;

                //temporarily put the key id from the current kekri into a CPKIFBufferPtr for comparison purposes
                CPKIFBuffer tmpKID(false, (unsigned char*)kekri->kekid.keyIdentifier.data, kekri->kekid.keyIdentifier.numocts);
                if(*kid == tmpKID)
                {
                    //if they match - allocate an outbound buffer and a key material object
                    //throw bad_alloc
                    CPKIFKeyMaterialPtr kmFound(new CPKIFKeyMaterial);
                    unsigned char* pResult = new unsigned char[kekri->encryptedKey.numocts];
                    int nResultLen = kekri->encryptedKey.numocts;

                    CPKIFKeyMaterialPtr theKEK = kek->GetKEK();

                    if(kekri->keyEncryptionAlgorithm.m.parametersPresent)
                    {
                        OOCTXT ctxt;
                        initContext (&ctxt);
                        setBERDecBufPtr(&ctxt, kekri->keyEncryptionAlgorithm.parameters.data, kekri->keyEncryptionAlgorithm.parameters.numocts, NULL, NULL);
                        OOCTXT* pctxt = &ctxt;

                        unsigned char* hashVal = NULL;
                        unsigned int hashValLen = 0;

                        int stat = decodeDynOctStr (pctxt, (const OSOCTET* *)&hashVal, (OSUINT32 *)&hashValLen, ASN1EXPL, kekri->keyEncryptionAlgorithm.parameters.numocts);
                        if (stat != ASN_OK)
                        {
                            //freeEncodeBuffer(&ctxt);
                            //memFreeAll(&ctxt);
                            freeContext(&ctxt);
                            throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, ASN1_DECODE_ERROR, "Failed to decode hash value");
                        }

                        theKEK->SetIV(hashVal, hashValLen);

                        //clean up the context
                        //freeEncodeBuffer(&ctxt);
                        //memFreeAll(&ctxt);
                        freeContext(&ctxt);
                    }

                    try
                    {
                        cKeyID->Decrypt(*theKEK, (unsigned char*)kekri->encryptedKey.data, kekri->encryptedKey.numocts, pResult, &nResultLen);
                    }
                    catch(...)
                    {
                        //if any exception is throw delete the result buffer and return
                        if(pResult)
                            delete[] pResult;

                        throw;
                    }
                    
                    //associate the decrypted key with the key material pointer
                    kmFound->SetSymmetricKey(pResult, nResultLen);

                    //clean up the temp buffer containing the decrypted key
                    memset(pResult, 0, nResultLen); delete[] pResult;
                    return kmFound;
                }
                break;
            }
            case 1: //ktri
            case 2: //kari
            default:
                //don't choke - don't use
                break;
        }

        cur = cur->next;
    }

    //if nothing was found return the empty km
    return km;
}
CPKIFCertificatePtr GetOriginatorCertFromOriginatorInfo(
    CACCMSKeyAgreeRecipientInfo* kari, 
    CACCMSOriginatorInfo* oi)
{
    CPKIFCertificatePtr emptyCert;
    if(!kari || !oi || !oi->m.certsPresent)
        return emptyCert;

    DListNode* iter = oi->certs.head;
    while(NULL != iter)
    {
        CACCMSCertificateChoices* curChoice = (CACCMSCertificateChoices*)iter->data;
        if(T_CACCMSCertificateChoices_certificate != curChoice->t)
        {
            iter = iter->next;
            continue;
        }

        ASN1OpenType* cert = (ASN1OpenType*)curChoice->u.certificate;

        try
        {
            CPKIFCertificatePtr newCert(new CPKIFCertificate());
            newCert->Decode(cert->data, cert->numocts);

            if(T_CACCMSOriginatorIdentifierOrKey_subjectKeyIdentifier == kari->originator.t)
            {
                CPKIFSubjectKeyIdentifierPtr skid = newCert->GetExtension<CPKIFSubjectKeyIdentifier>();
                if(skid != (CPKIFSubjectKeyIdentifier*)NULL)
                {
                    CPKIFBufferPtr skidBuf = skid->KeyIdentifier();
                    if(skidBuf->GetLength() == (kari->originator.u.subjectKeyIdentifier->numocts) &&
                        0 == memcmp(skidBuf->GetBuffer(), kari->originator.u.subjectKeyIdentifier->data, skidBuf->GetLength()))
                    return newCert;
                }
            }
            else if(T_CACCMSOriginatorIdentifierOrKey_originatorKey == kari->originator.t)
            {
                CPKIFBufferPtr rawKey = newCert->SubjectPublicKeyInfo()->rawKey();
                if(rawKey->GetLength() == (kari->originator.u.originatorKey->publicKey.numbits/8) &&
                    0 == memcmp(rawKey->GetBuffer(), kari->originator.u.originatorKey->publicKey.data, rawKey->GetLength()))
                    return newCert;
            }
            else if(T_CACCMSOriginatorIdentifierOrKey_issuerAndSerialNumber == kari->originator.t)
            {
                //XXX***IMPLEMENT ME
            }
        }
        catch(CPKIFException&)
        {
            //don't bother the caller with malformed certs
        }
        catch(std::bad_alloc& ba)
        {
            //empty the list
            throw ba;
        }

        iter = iter->next;
    }
    return emptyCert;
}

CPKIFBufferPtr GetOriginatorPublicKey(
    CACCMSKeyAgreeRecipientInfo* kari, 
    CACCMSOriginatorInfo* oi, 
    CPKIFCertificatePtr& origCert)
{
    //make sure no garbage is passed in as origCert
    CPKIFCertificatePtr emptyCert;
    origCert = emptyCert;

    CPKIFBufferPtr origPubKey;
    if(T_CACCMSOriginatorIdentifierOrKey_originatorKey == kari->originator.t)
    {
        //prepare key for return
        CPKIFBufferPtr tmprv(new CPKIFBuffer(kari->originator.u.originatorKey->publicKey.data, kari->originator.u.originatorKey->publicKey.numbits/8));
        origPubKey = tmprv;
    }

    if(oi)
    {
        //find the cert in the cert bag
        origCert = GetOriginatorCertFromOriginatorInfo(kari, oi);
    }

    if(origCert == (CPKIFCertificate*)NULL)
    {
        //if it wasn't in the bag, see if we have it locally somewhere
    }

    if(origCert != (CPKIFCertificate*)NULL && origPubKey == (CPKIFBuffer*)NULL)
    {
        origPubKey = origCert->GetSubjectPublicKeyInfo()->rawKey();
    }

    return origPubKey;
}

CPKIFKeyMaterialPtr GetSymmetricKey(
    CPKIFCredentialPtr& cred,
    IPKIFCryptoKeyIDOperations* cKeyID,
    CACCMSRecipientInfos* ris,
    IPKIFCryptoKeyAgree* ka,
    IPKIFCryptoRawOperations* cRaw,
    CACCMSOriginatorInfo* oi)
{
    CPKIFKeyMaterialPtr km;
    if(NULL == ris || 0 == ris->count)
        return km;

    //gather some info about the credential that will be used to decrypt the key
    CPKIFCertificatePtr cert = cred->GetCertificate();
    if(cert == (CPKIFCertificate*)NULL)
        return km;

    CPKIFNamePtr issuer = cert->Issuer();
    const char* serial = cert->SerialNumber();
    CPKIFSubjectKeyIdentifierPtr skid = cert->GetExtension<CPKIFSubjectKeyIdentifier>();

    DListNode* cur = ris->head;
    while(NULL != cur)
    {
        CACCMSRecipientInfo* ri = (CACCMSRecipientInfo*)cur->data;

        switch(ri->t)
        {
            case 1: //ktri
                {
                CACCMSKeyTransRecipientInfo* ktri = ri->u.ktri;
                if(RIDMatch(&ktri->rid, issuer, serial, skid))
                {
                    unsigned char* pResult = new unsigned char[ktri->encryptedKey.numocts];
                    int nResultLen = ktri->encryptedKey.numocts;

                    //added try/catch 04/30/03
                    try
                    {
                        cKeyID->Decrypt(*cred, (unsigned char*)ktri->encryptedKey.data, ktri->encryptedKey.numocts, pResult, &nResultLen);
                    }
                    catch(CPKIFException& e)
                    {
                        if(pResult)
                            delete[] pResult;

                        throw e;
                    }
                    catch(std::exception& se)
                    {
                        if(pResult)
                            delete[] pResult;

                        throw se;
                    }
                    
                    CPKIFKeyMaterialPtr kmFound(new CPKIFKeyMaterial);
                    kmFound->SetSymmetricKey(pResult, nResultLen);
                    delete[] pResult;
                    return kmFound;
                }
                }
                break;
            case 2: //kari
                {
                if(!ka) break;
                //get a pointer to the key agreement recipient info structure
                CACCMSKeyAgreeRecipientInfo* kari = ri->u.kari;

                //determine the key encryption algorithm
                CPKIFOIDPtr kekAlgOID(new CPKIFOID(kari->keyEncryptionAlgorithm.algorithm.subid, kari->keyEncryptionAlgorithm.algorithm.numids));
                CPKIFAlgorithm* kekAlg = CPKIFAlgorithm::GetAlg(kekAlgOID);

                //get the originator public key and certificate, if available.
                CPKIFCertificatePtr origCert;
                CPKIFBufferPtr origPublicKey = GetOriginatorPublicKey(kari, oi, origCert);
                if(origCert != (CPKIFCertificate*)NULL)
                {
                    //*** XXX validate the certificate if it was recovered... this won't happen with the current
                    //implementation of GetOriginatorPublicKey()
                }
                CPKIFAlgorithm * kwAlg = 0;
                
                // a context that will hold the shared secret and can produce a derived
                // key
                IPKIFKeyAgreeContextPtr ctx;

                if(*kekAlgOID == *g_ecdh_std_sha1kdf) {
                    if(!ri->u.kari->keyEncryptionAlgorithm.m.parametersPresent) {
                        // XXX *** break or throw? for now, just break. something above
                        // will throw
                        break;
                    }
                    CACASNWRAPPER_CREATE(ECC_CMS_SharedInfo,ecsPDU);
                    ECC_CMS_SharedInfo * si = ecsPDU.Decode( ri->u.kari->keyEncryptionAlgorithm.parameters );
                    if(!si) {
                        break;
                    }
                    CPKIFOIDPtr kwAlgOID(new CPKIFOID(si->keyInfo.algorithm.subid,si->keyInfo.algorithm.numids));
                    kwAlg = CPKIFAlgorithm::GetAlg(kwAlgOID);
                    if(!kwAlg) {
                        // XXX *** might better throw here
                        break;
                    }
                    ctx = ka->SecretAgree(cred,origPublicKey, kekAlg);

                } else if(*kekAlgOID == *g_ecmqv_sha1kdf) {
                    if(!ri->u.kari->keyEncryptionAlgorithm.m.parametersPresent) {
                        // XXX *** break or throw? for now, just break. something above
                        // will throw
                        break;
                    }
                    if(!ri->u.kari->m.ukmPresent) {
                        // XXX *** break or throw? for now, just break. something above
                        // will throw
                        break;
                    }
                    CACASNWRAPPER_CREATE(ECC_CMS_SharedInfo,ecsPDU);
                    ECC_CMS_SharedInfo * si = ecsPDU.Decode( ri->u.kari->keyEncryptionAlgorithm.parameters );
                    if(!si) {
                        break;
                    }
                    CPKIFOIDPtr kwAlgOID(new CPKIFOID(si->keyInfo.algorithm.subid,si->keyInfo.algorithm.numids));
                    kwAlg = CPKIFAlgorithm::GetAlg(kwAlgOID);
                    if(!kwAlg) {
                        // XXX *** might better throw here
                        break;
                    }
                    CACASNWRAPPER_CREATE(MQVuserKeyingMaterial,ukmPDU);
                    MQVuserKeyingMaterial * ukm = ukmPDU.Decode(ri->u.kari->ukm.data, ri->u.kari->ukm.numocts);
                    CPKIFBufferPtr ephemPK(new CPKIFBuffer(ukm->ephemeralPublicKey.publicKey.data,ukm->ephemeralPublicKey.publicKey.numbits/8));
                    ctx = ka->SecretAgree(cred, ephemPK, origPublicKey, kekAlg);
                    
                } else {
                    break; // allow other attempts even if this function doesn't recognize the KA scheme
                }

                CPKIFKeyMaterialPtr kek;
                CPKIFBufferPtr sharedInfo(new CPKIFBuffer(ri->u.kari->keyEncryptionAlgorithm.parameters.data,ri->u.kari->keyEncryptionAlgorithm.parameters.numocts));
                ctx->AppendSharedInfo(sharedInfo);
                kek = ka->DeriveKey(ctx,kwAlg->KeySize());
                if(!kek) break;
                kek->SetSymmetricKeyAlgorithm(kwAlg->SymkeyAlg());
                kek->SetMode(kwAlg->SymkeyMode());  
                
                //loop over the recipient keys until the one that matches the current credential is found
                DListNode* node = kari->recipientEncryptedKeys.head;
                CACCMSRecipientEncryptedKey* rid = NULL;
                for(OSUINT32 ii = 0; ii < kari->recipientEncryptedKeys.count; ++ii)
                {
                    rid = (CACCMSRecipientEncryptedKey*)node->data;
                    if(RIDMatch(&rid->rid, issuer, serial, skid))
                    {
                        //having found the RID, allocate some space for the decrypted key then call decrypt
                        unsigned char* pResult = new unsigned char[rid->encryptedKey.numocts];
                        int nResultLen = rid->encryptedKey.numocts;

                        try
                        {
                            cRaw->Decrypt(*kek, (unsigned char*)rid->encryptedKey.data, rid->encryptedKey.numocts, pResult, &nResultLen);
                        }
                        catch(CPKIFException& e)
                        {
                            if(pResult)
                                delete[] pResult;

                            throw e;
                        }
                        catch(std::exception& se)
                        {
                            if(pResult)
                                delete[] pResult;

                            throw se;
                        }

                        //pass the decrypted key back to the caller
                        CPKIFKeyMaterialPtr kmFound(new CPKIFKeyMaterial);
                        kmFound->SetSymmetricKey(pResult, nResultLen);
                        delete[] pResult;
                        return kmFound;
                    }
                    node = node->next;
                }

                }
                break;
            case 3: //kekri
                //don't choke - don't use
                break;
        }

        cur = cur->next;
    }

    return km;
}
CPKIFCredentialPtr AutoDiscoverDecryptionKey(
    IPKIFCryptoKeyIDOperations* cKeyID, 
    CACCMSRecipientInfos* ris)
{
    //this function will attempt to locate a stored key that matches a recipient info in the current message.

    CPKIFCredentialPtr tmpCred;
    if(NULL == cKeyID || NULL == ris || 0 == ris->count)
        return tmpCred;

    //ask the crypto mediator for a list of all keys that may be used for key encipherment
    bitset<9> ku = PKIFCRYPTO::KeyEncipherment;
    CPKIFCredentialList vKeyID;
    try
    {
        cKeyID->GetKeyList(vKeyID, &ku);
    }
    catch(CPKIFException& e)
    {
        throw e;
    }

    CPKIFCredentialList::iterator pos, match;
    CPKIFCredentialList::iterator end = vKeyID.end();
    for(pos = vKeyID.begin(); pos != end; ++pos)
    {
        CPKIFCertificatePtr cert = (*pos)->GetCertificate();
        if(cert == (CPKIFCertificate*)NULL)
            continue;

        CPKIFNamePtr issuer = cert->Issuer();
        const char* serial = cert->SerialNumber();
        CPKIFSubjectKeyIdentifierPtr skid = cert->GetExtension<CPKIFSubjectKeyIdentifier>();

        //we only support ktri option currently, iterate over all ktris for each possible
        //key encipherment key returning the first key that matches a ktri
        DListNode* cur = ris->head;
        while(NULL != cur)
        {
            CACCMSRecipientInfo* ri = (CACCMSRecipientInfo*)cur->data;

            switch(ri->t)
            {
                case 1: //ktri
                    {
                    CACCMSKeyTransRecipientInfo* ktri = ri->u.ktri;
                    if(RIDMatch(&ktri->rid, issuer, serial, skid))
                        return *pos;//return the current credential if we find a RID match
                    }
                    break;
                case 2: //kari
                case 3: //kekri
                    //don't choke - don't use
                    break;
            }

            cur = cur->next;
        }
    }

    return tmpCred;
}
void EncodeIVAsOctetString(
    unsigned char* iv,
    int ivLen, 
    unsigned char** encodedIV, 
    int* encodedIVLen)
{
    OOCTXT ctxt;
    initContext (&ctxt);
    setBEREncBufPtr(&ctxt, NULL, 0);
    OOCTXT* pctxt = &ctxt;

    int stat = encodeOctStr (pctxt, (const OSOCTET*)iv, (OSUINT32)ivLen, ASN1EXPL);
    if (stat < 0)
    {
        throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, ASN1_ENCODE_ERROR, "Failed to encode IV value");
    }

    *encodedIVLen = stat;
    char* tmpP = (char*)getBEREncBufPtr(&ctxt);

    *encodedIV = new unsigned char[*encodedIVLen];
    memcpy(*encodedIV, tmpP, *encodedIVLen);

    //clean up the context
    freeEncodeBuffer(&ctxt);
    memFreeAll(&ctxt);
}

//This function takes a signer info and a credential and returns an encoded signer info suitable for pushing into
//a countersignature extension.
CPKIFBufferPtr PKIFCMS_API Countersign(
    CPKIFSignerInfoPtr& siToCounterSign,
    CPKIFSignerInfoPtr& countersignerSI,
    IPKIFMediatorPtr& mediator)
{
    //*****************************************************************
    //  sanity check the inputs
    //*****************************************************************
    if(siToCounterSign == (CPKIFSignerInfo*)NULL || countersignerSI == (CPKIFSignerInfo*)NULL || NULL == mediator)
        throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_INVALID_INPUT, "One or more NULL parameters passed to VerifyCounterSignatures.");

    CPKIFBufferPtr sigBP = siToCounterSign->GetSignature();
    if(sigBP == (CPKIFBuffer*)NULL)
        throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_INVALID_INPUT, "The SignerInfo to countersign does not contain a signature.");

    IPKIFCryptoMisc* cMisc = mediator->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");

    //*****************************************************************
    //  hash the signature from the signer info to countersign
    //*****************************************************************

    CPKIFAlgorithmIdentifierPtr counterSignerDigestAlg = countersignerSI->GetDigestAlg();
    PKIFCRYPTO::HASH_ALG ha = PKIFCRYPTO::SHA1;
    if(!GetCACHashAlg(counterSignerDigestAlg->oid(), &ha))
            throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_UNSUPPORTED_ALG, "Unsupported hashing algorithm encountered during countersignature generation.");

    unsigned char hashResult[MAXHASH];
    int hashResultLen = MAXHASH;
    if(!countersignerSI->Decoded())
    {
        CPKIFCredentialPtr cred = countersignerSI->GetCredential();
        if(cred == (CPKIFCredential*)NULL)
            throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_INVALID_INPUT, "The SignerInfo of the countersigner does not contain a credential.");

        IPKIFHashContext* hi = cMisc->HashInit(ha);
        cMisc->HashUpdate(hi, (unsigned char*)sigBP->GetBuffer(), sigBP->GetLength());
        cMisc->HashFinal(hi, hashResult, &hashResultLen);
        delete hi;
    }

    //*****************************************************************
    //  populate an Objective SignerInfo object with details from the
    //  countersigner SignerInfo object that was passed in (including
    //  signature generation, signed attribute preparation, etc.)
    //*****************************************************************
    //changed to memory helper object 11/11/2003
    PKIFCMSMessageMemoryHelper mhSignerInfo;
    mhSignerInfo.pSignerInfo = new CACCMSSignerInfo;
    GetSignerInfo(mhSignerInfo.pSignerInfo, countersignerSI,  hashResult, hashResultLen, mediator, g_data, ha, true);

    //*****************************************************************
    //  encode the countersigner signer info and return the encoded blob
    //*****************************************************************
    CACASNWRAPPER_CREATE(CACCMSSignerInfo, tmpPDU);
    ASN1OpenType* data1 = tmpPDU.Encode(mhSignerInfo.pSignerInfo);

    //next, update the countersignerSI
    CPKIFBufferPtr data1Buf(new CPKIFBuffer(data1->data, data1->numocts));
    CPKIFSignerInfoPtr newCountersignerSI(new CPKIFSignerInfo(data1Buf));
    //CPKIFSignerInfoPtr newCountersignerSI(new CPKIFSignerInfo(*mhSignerInfo.pSignerInfo));
    countersignerSI = newCountersignerSI;

    CPKIFBufferPtr tmp;
    try
    {
        //copy the buffer info a buffer ptr to be returned to the caller
        CPKIFBufferPtr tmpTmp(new CPKIFBuffer((unsigned char*)data1->data, data1->numocts));
        tmp = tmpTmp;
        delete data1; data1 = NULL;
    }
    catch(std::bad_alloc& ba)
    {
        if(data1)
            delete data1;
        throw ba;
    }

    return tmp;
}

void PKIFCMS_API VerifyCounterSignatures(
    CPKIFSignedDataPtr& sd,
    CPKIFSignerInfoPtr& si,
    IPKIFMediatorPtr& mediator,
    CPKIFPathSettingsPtr& settings,
    CPKIFSignerInfoList& sis, 
    vector<CMSVerificationStatus>& statusVector,
    CPKIFCertificateList& certVector,
    vector<CPKIFCertificatePathPtr>& pathVector)
{
    CPKIFFuncStoragePtr keyUsageSigFunctor3(new CPKIFFuncStorage(keyUsageChecker_Signature));

    //*****************************************************************
    //  sanity check the inputs
    //*****************************************************************
    if(sd == (CPKIFSignedData*)NULL || si == (CPKIFSignerInfo*)NULL || mediator == (IPKIFMediator*)NULL)
        throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_INVALID_INPUT, "One or more NULL parameters passed to VerifyCounterSignatures.");

    IPKIFCryptoRawOperations* cRaw = mediator->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    IPKIFCryptoMisc* cMisc = mediator->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(TOOLKIT_MESSAGE, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");

    //*****************************************************************
    //  extract the CounterSignature attribute from the coutnersigned 
    //  SignerInfo then get and hash the signature
    //*****************************************************************
    CPKIFCountersignatureAttributePtr csAttr = si->GetUnsignedAttribute<CPKIFCountersignatureAttribute>();
    if(csAttr == (CPKIFCountersignatureAttribute*)NULL)
        return;

    CPKIFBufferPtr sigBP = si->GetSignature();
    if(sigBP == (CPKIFBuffer*)NULL)
        return;

    HashInfo hi2;
    hi2.m_hashAlg = PKIFCRYPTO::SHA1;

    int hashResultLen = MAXHASH;

    PKIFCRYPTO::HASH_ALG ha = PKIFCRYPTO::SHA1;

    CPKIFAlgorithmIdentifierPtr sigAlg = si->GetDigestAlg();
    GetCACHashAlg(sigAlg->oid(), &ha);
    GetCACHashAlg(sigAlg->oid(), &hi2.m_hashAlg);

    IPKIFHashContext* hi = cMisc->HashInit(ha);
    cMisc->HashUpdate(hi, (unsigned char*)sigBP->GetBuffer(), sigBP->GetLength());
    cMisc->HashFinal(hi, hi2.m_hashResult, &hashResultLen);
    delete hi;

    //*****************************************************************
    //  Get the encoded SignerInfos from the CounterSignature attribute
    //  and iterate over them verifying each and populating the 
    //  outbound sis and statusVector variables.
    //*****************************************************************
    CPKIFBufferList bl;
    csAttr->GetValues(bl);

    CPKIFBufferList::iterator blPos;
    CPKIFBufferList::iterator blEnd = bl.end();
    int ii = 0;
    CPKIFCertificatePtr emptyCert;
    for(blPos = bl.begin(); blPos != blEnd; ++blPos, ++ii)
    {
        //first, decode the buffer - if ANY fails to parse let the caller handle the exception
        CACASNWRAPPER_CREATE(CACCMSSignerInfo, tmpPDU);
        CACCMSSignerInfo* curSI = tmpPDU.Decode((*blPos)->GetBuffer(), (*blPos)->GetLength());
        CPKIFBufferPtr curSIBuf(new CPKIFBuffer((*blPos)->GetBuffer(), (*blPos)->GetLength()));

        //next, create a CPKIFSignerInfoPtr and add entries to both sis and statusVector        
        CPKIFSignerInfoPtr newSI(new CPKIFSignerInfo(curSIBuf));
        //CPKIFSignerInfoPtr newSI(new CPKIFSignerInfo(*curSI));
        sis.push_back(newSI);
        statusVector.push_back(NOT_VERIFIED);
        certVector.push_back(emptyCert);

        //next, get the signer's cert from the signed data that was passed in
        //if it can't be found - continue to the next countersignature
        //CPKIFBufferPtr curSIBuf(new CPKIFBuffer((*blPos)->GetBuffer(), (*blPos)->GetLength()));
        CPKIFBufferPtr signerCert = sd->GetSignersCert(curSIBuf);
        //CPKIFBufferPtr signerCert = sd->GetSignersCert(curSI);
        if(signerCert == (CPKIFCertificate*)NULL)
            continue;
        else
        {
            CPKIFCertificatePtr newSignerCert(new CPKIFCertificate);
            newSignerCert->Decode(signerCert->GetBuffer(), signerCert->GetLength());
            certVector[ii] = newSignerCert;
        }

        //next, determine if it's necessary to generate a hash over signed attributes
        HashInfo* hi = NULL;
        bool deleteHI = false;
        if(curSI->m.signedAttrsPresent)
        {
            hi = ComputeSignedAttrHash(curSI, cMisc);
            deleteHI = true;
            if(!CompareHashes(&hi2, curSI))
            {
                //if hash of data does not match the hash contained in the signed attr bag
                //or if there is no content hash in the signed attr bag then fail
                statusVector[ii] = CMS_SIGNATURE_INVALID;
                delete hi;
                continue;
            }
        }
        else
            hi = &hi2;

        //set up a key material object to hold the signer's cert
        CPKIFKeyMaterial key;
        key.SetCertificate(signerCert->GetBuffer(), signerCert->GetLength());

        bool bRetrySigWithParams = false;
        //invoke verify - passing either the hash that was calculated over the signature or the hash calculated over
        //the signed attributes.        
        try
        {
            if(!cRaw->Verify(key, hi->m_hashResult, CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize(), (unsigned char*)curSI->signature.data, curSI->signature.numocts, hi->m_hashAlg))
            {
                if(NULL != hi && deleteHI)
                    delete hi;
                statusVector[ii] = CMS_SIGNATURE_INVALID;
                return;
            }
            else
            {
                if(NULL != hi && deleteHI)
                    delete hi;
                statusVector[ii] = CMS_SIGNATURE_VERIFIED;
            }
        }
        catch(CPKIFException& ce)
        {
            if(PKIFCAPING_KEY_IMPORT_FAILED != ce.GetErrorCode() && 
                PKIFCAPI_KEY_IMPORT_FAILED != ce.GetErrorCode() && 
                PKIF_CRYPTOPP_RAW_IMPORT_FAILED != ce.GetErrorCode() &&
                PKIFNSS_CERT_IMPORT_FAILED != ce.GetErrorCode())
            {
                throw ce;
            }
            else
            {
                bRetrySigWithParams = true;
            }
        }
        IPKIFPathBuild* cBuild = mediator->GetMediator<IPKIFPathBuild>();
        if(NULL == cBuild)
            continue;

        IPKIFPathValidate* cValidate = mediator->GetMediator<IPKIFPathValidate>();
        if(NULL == cValidate)
            continue;

        CPKIFCertificatePathPtr tmpPath(new CPKIFCertificatePath);
        pathVector.push_back(tmpPath);

        CPKIFPathValidationResultsPtr tmpValResults(new CPKIFPathValidationResults);

        CPKIFCertificatePtr signersCert(new CPKIFCertificate());
        signersCert->Decode(signerCert->GetBuffer(), signerCert->GetLength());
        tmpPath->SetTarget(signersCert);

        //if settings have been associated with this object use them
        //otherwise defer to the default settings (either globally set
        //or defined to be very permissive)
        if(settings != (CPKIFPathSettings*)NULL)
            tmpPath->SetPathSettings(settings);

        try
        {
            do
            {
                if(!cBuild->BuildPath(*tmpPath))
                {
                    //stop looking for paths - continue to next countersignature
                    break; 
                }
                if(cValidate->ValidatePath(*tmpPath, *tmpValResults, keyUsageSigFunctor3))
                {
                    if(NOT_REVOKED == tmpValResults->GetRevocationStatusMostSevere())
                    {
                        if(bRetrySigWithParams)
                        {
                            CPKIFAlgorithmIdentifierPtr wp = tmpValResults->GetWorkingParams();
                             key.SetWorkingParameters(wp);
                            if(!cRaw->Verify(key, hi->m_hashResult, CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize(), (unsigned char*)curSI->signature.data, curSI->signature.numocts, hi->m_hashAlg))
                            {
                                if(NULL != hi && deleteHI)
                                    delete hi;
                                statusVector[ii] = CMS_SIGNATURE_INVALID;
                                return;
                            }
                            else
                            {
                                if(NULL != hi && deleteHI)
                                    delete hi;
                                statusVector[ii] = CMS_SIGNATURE_VERIFIED;
                            }
                        }

                        statusVector[ii] = REV_STATUS_VERIFIED;

                        //stop looking for paths - continue to next countersignature
                        break; 
                    }
                    else
                    {
                        if(bRetrySigWithParams)
                        {
                            CPKIFAlgorithmIdentifierPtr wp = tmpValResults->GetWorkingParams();
                             key.SetWorkingParameters(wp);
                            if(!cRaw->Verify(key, hi->m_hashResult, CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize(), (unsigned char*)curSI->signature.data, curSI->signature.numocts, hi->m_hashAlg))
                            {
                                if(NULL != hi && deleteHI)
                                    delete hi;
                                statusVector[ii] = CMS_SIGNATURE_INVALID;
                                return;
                            }
                            else
                            {
                                if(NULL != hi && deleteHI)
                                    delete hi;
                                statusVector[ii] = CMS_SIGNATURE_VERIFIED;
                            }
                        }

                        statusVector[ii] = CERT_PATH_VERIFIED;

                        //stop looking for paths - continue to next countersignature
                        break; 
                    }
                }
                else
                {
                    if(!tmpValResults->GetBasicChecksSuccessfullyPerformed() ||
                        !tmpValResults->GetCertSignaturesVerified())
                    {

                        if(bRetrySigWithParams)
                        {
                            if(NULL != hi && deleteHI)
                                delete hi;
                            statusVector[ii] = CMS_SIGNATURE_INVALID;
                            return;
                        }

                        statusVector[ii] = CERT_PATH_INVALID; //set the status but keep looking

                        //continue to try another path  
                        continue;
                    }
                    else if(REVOKED == tmpValResults->GetRevocationStatusMostSevere())
                    {
                        if(bRetrySigWithParams)
                        {
                            if(NULL != hi && deleteHI)
                                delete hi;
                            statusVector[ii] = CMS_SIGNATURE_INVALID;
                            return;
                        }

                        statusVector[ii] = REV_STATUS_INVALID;

                        //see if the signer was revoked - if so, stop looking and return false now
                        //if they don't match then a CA cert was revoked and we should keep looking
                        //for a good path
                        CPKIFCertificateNodeEntryPtr errantCertNode = tmpValResults->GetCertificate();
                        if(errantCertNode != (CPKIFCertificateNodeEntry*)NULL)
                        {
                            CPKIFCertificatePtr errantCert = errantCertNode->GetCert();
                            if(errantCert != (CPKIFCertificate*)NULL && *errantCert == *signersCert)
                            {
                                //continue to try another path
                                continue;
                            }
                        }
                    }
                    else if(tmpValResults->GetBasicChecksSuccessfullyPerformed() &&
                        tmpValResults->GetCertSignaturesVerified())
                    {                       
                        if(bRetrySigWithParams)
                        {
                            CPKIFAlgorithmIdentifierPtr wp = tmpValResults->GetWorkingParams();
                             key.SetWorkingParameters(wp);
                            if(!cRaw->Verify(key, hi->m_hashResult, CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize(), (unsigned char*)curSI->signature.data, curSI->signature.numocts, hi->m_hashAlg))
                            {
                                if(NULL != hi && deleteHI)
                                    delete hi;
                                statusVector[ii] = CMS_SIGNATURE_INVALID;
                                return;
                            }
                            else
                            {
                                if(NULL != hi && deleteHI)
                                    delete hi;
                                statusVector[ii] = CMS_SIGNATURE_VERIFIED;
                            }
                        }
                        statusVector[ii] = CERT_PATH_VERIFIED; //verification successful but revocation not checked

                        //continue to try another path
                        continue;
                    }
                }
            }while(1);
        }
        catch(CPKIFException&)
        {
            //continue to next countersignature
            continue;
        }
    }

}
void PopulateKARIDFromKeyMaterial(
    CACCMSKeyAgreeRecipientIdentifier* rid,
    CPKIFKeyMaterialPtr& km)
{
    CPKIFBufferPtr certBuf(new CPKIFBuffer());
    int rawLen = km->GetCertificateLength();
    unsigned char * cbRaw = certBuf->AllocateBuffer(rawLen);
    km->GetCertificate(cbRaw,&rawLen);
    CPKIFCertificatePtr cert(new CPKIFCertificate());
    cert->Decode(certBuf->GetBuffer(),rawLen);
    CPKIFSubjectKeyIdentifierPtr skid = cert->GetExtension<CPKIFSubjectKeyIdentifier>();
    if(skid) {
        CPKIFBufferPtr skidBuf = skid->KeyIdentifier();
        rid->t = T_CACCMSKeyAgreeRecipientIdentifier_rKeyId;
        rid->u.rKeyId = new CACCMSRecipientKeyIdentifier;
        memset(&(rid->u.rKeyId),0x00,sizeof(CACCMSRecipientKeyIdentifier));
        int skidLen = skidBuf->GetLength();
        rid->u.rKeyId->subjectKeyIdentifier.numocts = skidLen;
        rid->u.rKeyId->subjectKeyIdentifier.data = new unsigned char[skidLen];
        memcpy((void*)rid->u.rKeyId->subjectKeyIdentifier.data,skidBuf->GetBuffer(),skidLen);
    } else {
        rid->t = T_CACCMSKeyAgreeRecipientIdentifier_issuerAndSerialNumber;
        rid->u.issuerAndSerialNumber = new CACCMSIssuerAndSerialNumber;
        memset(rid->u.issuerAndSerialNumber,0x00,sizeof(CACCMSIssuerAndSerialNumber));
        rid->u.issuerAndSerialNumber->serialNumber = cert->SerialNumber();
        CPKIFBufferPtr nb = cert->Issuer()->rawName();
        CACASNWRAPPER_CREATE(CACX509V3Name, namePDU);
        CACX509V3Name * iName = namePDU.Decode(nb->GetBuffer(),nb->GetLength());
        CopyName(&rid->u.issuerAndSerialNumber->issuer, *iName);
    }
}