CACLDAPRepository.cpp

Go to the documentation of this file.

#include "PKIFLDAPRepository.h"
#include "ToolkitUtils.h"
#include "Name.h"
#include "GeneralName.h"
#include "Certificate.h"
#include "GottaMatch.h"
#include "CRL.h"
#include "PKIFCRLNodeEntry.h"
#include "PKIFLdapCertNode.h"
#include "PKIFLdapCrlNode.h"
#include "PKIFCacheMediator2.h"
#include "GeneralSubtree.h"

#include "PKIFCacheErrors.h"
#include "PKIFCacheException.h"
#include "CSingletonLDAPConnection.h"

#include "ASN1Helper.h"
#include "PKIX1Implicit88.h"
#include "PKIX1Explicit88.h"

#include "boost/numeric/conversion/cast.hpp"
#include "boost/numeric/conversion/bounds.hpp"
#include "boost/limits.hpp"

using boost::numeric_cast;
using boost::bad_numeric_cast;

using namespace boost;

#include "curl/curl.h"

#ifdef _WIN32
#include "winldap.h"
#include "winber.h"
#else
#include "ldap.h"
#include <sys/unistd.h>
#endif 

#include <sstream>
#include <strstream>
using namespace std;


//these definitions placed here as a convenience (it's a cpp file in the same component - these
//are used by CACCAPIRepository, which is a template class defined in CACCAPIRepository.h)
CAC_API char g_defCACCAPIStore[] = "CA";
CAC_API char g_defCACCAPIEEStore[] = "AddressBook";

struct CPKIFLDAPRepositoryImpl {
    bool m_bSuppressConnectionErrors;
    int m_nPort;
    CPKIFStringPtr m_strHost;
    CPKIFStringPtr m_strUsername;
    CPKIFStringPtr m_strPassword;

    LDAP* m_ldapStruct;

    bool m_bDeferFetch;

    CPKIFGeneralSubtreeList m_namespaces;
    bool CheckNamespaces(const CPKIFNamePtr& name);

    LDAP* ConnectAndBind(std::string& strHost, int port, std::string& strUsername, std::string& strPassword);

};
bool CPKIFLDAPRepositoryImpl::CheckNamespaces(
    const CPKIFNamePtr& name)
{
    CPKIFGeneralSubtreeList::iterator pos;
    CPKIFGeneralSubtreeList::iterator end = m_namespaces.end();
    for(pos = m_namespaces.begin(); pos != end; ++pos)
    {
        if(CPKIFGeneralSubtree::MATCH == (*pos)->IsInSubtree(name))
            return true;
    }

    //if we get here then either it's not a match (cause the list isn't empty)
    //or it is a match (cause the list is empty).  when the list is empty, we
    //accept all comers.
    return m_namespaces.empty();
}



CAC_API CPKIFLDAPRepositoryPtr MakeLDAPRepository()
{
    CPKIFLDAPRepositoryPtr ldap(new CPKIFLDAPRepository());
    return ldap;
}
CAC_API void FreeLDAPRepository(
    CPKIFLDAPRepository* ldap)
{
    if(ldap)
    {
        delete ldap;
    }
}
CPKIFLDAPRepository::CPKIFLDAPRepository(void)
:m_impl(new struct CPKIFLDAPRepositoryImpl)
{
    LOG_STRING_DEBUG("CPKIFLDAPRepository::CPKIFLDAPRepository(void)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    CPKIFStringPtr tmpPS1(new std::string(""));
    m_impl->m_strPassword = tmpPS1;
    CPKIFStringPtr tmpPS2(new std::string(""));
    m_impl->m_strUsername = tmpPS2;
    CPKIFStringPtr tmpPS3(new std::string(""));
    m_impl->m_strHost = tmpPS3;
    m_impl->m_nPort = 389;
    m_impl->m_bSuppressConnectionErrors = false;
    m_impl->m_ldapStruct = NULL;
    m_impl->m_bDeferFetch = true;
}
CPKIFLDAPRepository::~CPKIFLDAPRepository(void)
{
    LOG_STRING_DEBUG("CPKIFLDAPRepository::~CPKIFLDAPRepository(void)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    if(NULL != m_impl->m_ldapStruct)
    { 
        //ldap_unbind(m_impl->m_ldapStruct); 
        m_impl->m_ldapStruct = NULL;
    }
    if(0 != m_impl)
    {
        delete m_impl;
        m_impl = 0;
    }
}
void CPKIFLDAPRepository::Initialize() 
{
    LOG_STRING_DEBUG("CPKIFLDAPRepository::Initialize()", TOOLKIT_SR_LDAPREPOSITORY, 0, this);
}

int CPKIFLDAPRepository::GetPort() const 
{
    return m_impl->m_nPort;
}
void CPKIFLDAPRepository::Set_Port(
    int port) 
{
    if(65535 < port)
    {
        RAISE_CACHE_EXCEPTION("Port greater than 65535 passed to CPKIFLDAPRepository::Set_Port.", thisComponent, COMMON_INVALID_INPUT, this)
    }
    m_impl->m_nPort = port;
}
const char* CPKIFLDAPRepository::GetHost() const 
{
    return m_impl->m_strHost->c_str();
}
void CPKIFLDAPRepository::SetHost(
    const char* host) 
{
    //added check for NULL  2/23/2005
    if(NULL == host)
    {
        RAISE_CACHE_EXCEPTION("NULL host passed to CPKIFLDAPRepository::SetHost.", thisComponent, COMMON_INVALID_INPUT, this)
    }
    m_impl->m_strHost->assign(host);
}
const char*CPKIFLDAPRepository::GetUsername() const 
{
    return m_impl->m_strUsername->c_str();
}
void CPKIFLDAPRepository::SetUsername(
    const char* username) 
{
    m_impl->m_strUsername->assign(username);
}
void CPKIFLDAPRepository::SetPassword(
    const char* password) 
{
    m_impl->m_strPassword->assign(password);
}
void CPKIFLDAPRepository::SetSuppressConnectionErrors(
    bool b)
{
    m_impl->m_bSuppressConnectionErrors = b;
}
bool CPKIFLDAPRepository::GetSuppressConnectionErrors() const
{
    return m_impl->m_bSuppressConnectionErrors;
}


LDAP* CPKIFLDAPRepositoryImpl::ConnectAndBind(
    std::string& strHost, 
    int port,
    std::string& strUsername, 
    std::string& strPassword)
{
    LOG_STRING_DEBUG("CPKIFLDAPRepository::ConnectAndBind(std::string& strHost, int port, std::string& strUsername, std::string& strPassword)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    if(NULL != m_ldapStruct)
        return m_ldapStruct;

    if(strHost.empty())
        return NULL;

    int ret = 0;

    const char* host = strHost.c_str();
    string lud_hostString(host);

    CSingletonLDAPConnection* slc = CSingletonLDAPConnection::Instance();
    m_ldapStruct = slc->GetConnection(lud_hostString, port);
    if(!m_ldapStruct)
    {
        //give a few tries at connecting
        int connectCount = 0;
        do
        {
            ostrstream oss;
            oss << "Attempting to connect to : " << host << " on port " << port << ends;
            LOG_STRING_INFO(oss.str(), TOOLKIT_SR_LDAPREPOSITORY, 0, this);
            oss.freeze(false);

            m_ldapStruct = ldap_open(const_cast<char*>(host), port);
            if(NULL != m_ldapStruct) 
                connectCount = 5;
            else
            {
                oss << "Failed to connect to : " << host << " on port " << port << ends;
                LOG_STRING_ERROR(oss.str(), TOOLKIT_SR_LDAPREPOSITORY, 0, this);
                oss.freeze(false);
        
                SLEEP(10);
                ++connectCount;
            }
        }while(5 > connectCount);

        //if we failed to open a connection, i.e. ldapStruct is NULL, then return NULL
        if(NULL == m_ldapStruct) 
        {
            std::ostringstream os;
            os << "Failed to open connection to " << host << " on port " << port;;
            LOG_STRING_ERROR(os.str().c_str(), TOOLKIT_SR_LDAPREPOSITORY, CACHE_LDAP_CONNECT_AND_BIND_FAILED, this)
            return NULL;
        }

        //give a few tries at binding
        int bindCount = 0;
        char* username = NULL;
        char* password = NULL;

        //get pointers to username and password - if present
        if(!strUsername.empty())
            username = const_cast<char*>(strUsername.c_str());

        if(!strPassword.empty())
            password = const_cast<char*>(strPassword.c_str());

        ULONG timeout = 30;
        ldap_set_option(m_ldapStruct, LDAP_OPT_TIMELIMIT, &timeout);

        do
        {
            ret = ldap_simple_bind_s(m_ldapStruct, username, password);
            if(0 == ret)
                bindCount = 5;
            else
            {
                //added 7/29/2004
                if(LDAP_PROTOCOL_ERROR == ret)
                {
                    int opt = LDAP_VERSION3;
                    ldap_set_option(m_ldapStruct, LDAP_OPT_PROTOCOL_VERSION, &opt);
                }

                SLEEP(10);
                ++bindCount;
            }
        }while( 5 > bindCount);

        //if we failed to bind - clean up the ldapStruct object and return NULL
        //otherwise simply return the ldapStruct object
        if(0 != ret)
        {
            std::ostringstream os;
            os << "Failed to bind to " << host << " on port " << port;;
            LOG_STRING_ERROR(os.str().c_str(), TOOLKIT_SR_LDAPREPOSITORY, CACHE_LDAP_CONNECT_AND_BIND_FAILED, this)

            ldap_unbind(m_ldapStruct);
            m_ldapStruct = NULL;
        }
        else
        {
            slc->PushConnection(lud_hostString, port, m_ldapStruct);

            std::ostringstream os;
            os << "Successfully connected to host " << host << " on port " << port;;
            LOG_STRING_INFO(os.str().c_str(), TOOLKIT_SR_LDAPREPOSITORY, 0, this)
        }
    }

    return m_ldapStruct;
}
void CPKIFLDAPRepository::GetCertificates(
    const CPKIFNamePtr& subDN,
    CPKIFCertificateList& certList,
    PKIInfoSource source)
{
    _GetCertificates(subDN, certList, source, PBD_FORWARD);
}
void CPKIFLDAPRepository::_GetCertificates(
    const CPKIFNamePtr& subDN,
    CPKIFCertificateList& certList,
    PKIInfoSource source,
    PathBuildingDirection pbd)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if(NULL != binaryValuesPtr)\
    { ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;}\
    if(NULL != tempAttrName)\
    { ldap_memfree(tempAttrName);tempAttrName = NULL;}\
    if(NULL != ber_temp)\
    { ber_free(ber_temp, 0);ber_temp = NULL;}\
    if(NULL != results)\
    { ldap_msgfree(results);results = NULL;}\
} 

    LOG_STRING_DEBUG("CPKIFLDAPRepository::GetCertificates(const CPKIFNamePtr& subDN, CPKIFCertificateList& certList, PKIInfoSource source)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    //ignore requests for locally stored certificates
    if(LOCAL == source)
    {
        LOG_STRING_DEBUG("Skipping CPKIFLDAPRepository - searching LOCAL sources only", thisComponent, 0, this);
        return;
    }

    //ignore bad input
    if(subDN == (CPKIFName*)NULL)
    {
        LOG_STRING_ERROR("Skipping CPKIFLDAPRepository - input NULL or empty subject DN", thisComponent, COMMON_INVALID_INPUT, this);
        return;
    }

    if(!m_impl->CheckNamespaces(subDN))
        return;

    //get a pointer to a string representation of the DN we will use to retrieve certs
    const char* tmpSubDN = subDN->ToString();

    size_t origSize = certList.size();

    int ret = 0;

    LDAP* ldapStruct = NULL;
    LDAPMessage* results = NULL;    
    LDAPMessage* curEntry = NULL;       //does not need to be freed (per MSDN)
    BerElement *ber_temp = NULL;
    struct berval **binaryValuesPtr = NULL;
    struct berval *tmpPtr = NULL;

    const char* filter = "objectclass=*";
    char* certAttrName = "caCertificate;binary";
    char* crossCertAttrName = "crosscertificatepair;binary";
    char* certAttrName2 = "caCertificate";
    char* crossCertAttrName2 = "crosscertificatepair";
    char* userCertAttrName = "userCertificate"; //added these two to permit discovery of crl issuers 7/18
    char* userCertAttrName2 = "userCertificate;binary";

    char* attrsOfInterest[] = {crossCertAttrName, crossCertAttrName2, certAttrName, certAttrName2, userCertAttrName, userCertAttrName2, NULL};
    if(PBD_REVERSE == pbd)
        attrsOfInterest[2] = NULL; //only care about cross-certs, crimp off everything else

    char* tempAttrName = NULL;

    int multiAttrIndex = 0;

    //log entries are created in ConnectAndBind as necessary
    ldapStruct = m_impl->ConnectAndBind(*m_impl->m_strHost, m_impl->m_nPort, *m_impl->m_strUsername, *m_impl->m_strPassword);
    if(NULL == ldapStruct)
    {
        if(!m_impl->m_bSuppressConnectionErrors)
        {
            CLEANUP
            RAISE_CACHE_EXCEPTION("Connect and bind failed.", thisComponent, CACHE_LDAP_CONNECT_AND_BIND_FAILED, this)
        }
        else
            return;
    }

    try
    {
        //turn on referral chasing (should be on by default but...)
        ldap_set_option(ldapStruct, LDAP_OPT_REFERRALS, LDAP_OPT_ON);

        //added 7/20/2004
        //no more than 20000 byte certs
        const int c_nMaxCertSize = 20000;
        ldap_set_option(ldapStruct, LDAP_OPT_SIZELIMIT, &c_nMaxCertSize);

        //retrieve the directory entry
        ret = ldap_search_s(ldapStruct, (char*)tmpSubDN, LDAP_SCOPE_BASE, (char *)filter, attrsOfInterest, 0, &results);
        if(0 != ret || NULL == results)
        {
            //exceptions are thrown simply to get us to the bottom of this function so cleanup can occur
            std::ostringstream os;
            os << "ldap_search_s failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }

        curEntry = ldap_first_entry(ldapStruct, results);
        if(NULL == curEntry)
        {
            std::ostringstream os;
            os << "ldap_first_entry failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }
        
        tempAttrName = ldap_first_attribute(ldapStruct, curEntry, &ber_temp);
        if(NULL == curEntry || NULL == tempAttrName)
        {
            std::ostringstream os;
            os << "ldap_first_attribute failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }

        do
        {
            //compare the current attribute name to the certificate attribute name
            if(0 == stricmp(certAttrName, tempAttrName) || 0 == stricmp(userCertAttrName, tempAttrName) ||
                0 == stricmp(certAttrName2, tempAttrName) || 0 == stricmp(userCertAttrName2, tempAttrName))
            {
                multiAttrIndex = 0;
                if(NULL != binaryValuesPtr)
                {
                    ldap_value_free_len(binaryValuesPtr); binaryValuesPtr = NULL;
                }

                binaryValuesPtr = ldap_get_values_len(ldapStruct, curEntry, tempAttrName);
                const int entryCount = ldap_count_values_len(binaryValuesPtr);
                if(0 != entryCount && NULL != binaryValuesPtr && NULL != binaryValuesPtr[multiAttrIndex])
                {
                    //iterate over all of the values
                    while(multiAttrIndex < entryCount)
                    {
                        tmpPtr = binaryValuesPtr[multiAttrIndex];
                        if(NULL == tmpPtr)
                        {
                            break;
                        }

                        //bad_alloc caught by catch(...); cleanup executed
                        CPKIFCertificatePtr tmpCert(new CPKIFCertificate()); 
                        try
                        {
                            //create cert using tmpPtr->bv_val, tmpPtr->bv_len
                            tmpCert->Decode((unsigned char*)tmpPtr->bv_val, tmpPtr->bv_len);                        

                            GottaMatch<CPKIFCertificatePtr> gm;
                            gm.SetRHS(tmpCert);
                            if(certList.end() == find_if(certList.begin(), certList.end(), gm))
                                certList.push_back(tmpCert);
                        }
                        catch(CPKIFException&)
                        {
                            //EXCEPTION DELETION
                            //we don't need to pass this exception up - we should log the fact
                            //that a busted (or non) cert was found and keeping sifting through
                            //the remaining values, if any
                            //delete e;

                            //ignore entries that fail to parse
                            std::ostringstream os;
                            os << "Failed to parse certificate found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                            LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                        }

                        multiAttrIndex++;
                    }
                }
            }
            else if(0 == stricmp(crossCertAttrName, tempAttrName) || 0 == stricmp(crossCertAttrName2, tempAttrName))
            {
                multiAttrIndex = 0;
                if(NULL != binaryValuesPtr)
                {
                    ldap_value_free_len(binaryValuesPtr); binaryValuesPtr = NULL;
                }
                binaryValuesPtr = ldap_get_values_len(ldapStruct, curEntry, tempAttrName);
                const int entryCount = ldap_count_values_len(binaryValuesPtr);
                if(0 != entryCount && NULL != binaryValuesPtr && NULL != binaryValuesPtr[multiAttrIndex])
                {
                    while(multiAttrIndex < entryCount)
                    {
                        tmpPtr = binaryValuesPtr[multiAttrIndex];
                        if(NULL == tmpPtr)
                        {
                            break;
                        }

                        try
                        {
                            CACASNWRAPPER_CREATE(CACX509V3CertificatePair, objPDU);
                            objPDU.Decode((unsigned char*)tmpPtr->bv_val, tmpPtr->bv_len);

                            if((objPDU->m.forwardPresent && PBD_FORWARD == pbd) ||
                                (objPDU->m.reversePresent && PBD_REVERSE == pbd))
                            {
                                //bad_alloc caught by catch(...); cleanup executed
                                CPKIFCertificatePtr tmpCert(new CPKIFCertificate);

                                //bad_alloc caught by catch(...); cleanup executed
                                unsigned char* buf = new unsigned char[tmpPtr->bv_len];

                                OOCTXT ctxt;
                                initContext (&ctxt);
                                setBEREncBufPtr(&ctxt, buf, tmpPtr->bv_len);
                                if(objPDU->m.forwardPresent && PBD_FORWARD == pbd)
                                    BEREncCACX509V3Certificate(&ctxt, &objPDU->forward, ASN1EXPL);
                                else if(objPDU->m.reversePresent && PBD_REVERSE == pbd)
                                    BEREncCACX509V3Certificate(&ctxt, &objPDU->reverse, ASN1EXPL);

                                try
                                {
                                    int iCertLen = 0;
                                    try 
                                    {
                                        iCertLen = numeric_cast<int>(ctxt.buffer.size - ctxt.buffer.byteIndex - 1);
                                    }
                                    catch(bad_numeric_cast &) 
                                    {
                                        throw CPKIFException(TOOLKIT_CACHE, COMMON_INVALID_INPUT, "Certificate size is larger than maximum integer size.");
                                    }

                                    tmpCert->Decode(ctxt.buffer.data + ctxt.buffer.byteIndex, iCertLen);

                                    GottaMatch<CPKIFCertificatePtr> gm;
                                    gm.SetRHS(tmpCert);
                                    if(certList.end() == find_if(certList.begin(), certList.end(), gm))
                                        certList.push_back(tmpCert);
                                }
                                catch(CPKIFException&)
                                {
                                    //EXCEPTION DELETION
                                    //we don't need to pass this exception up - we should log the fact
                                    //that a busted (or non) cert was found and keeping sifting through
                                    //the remaining values, if any
                                    //delete e;

                                    //ignore entries that fail to parse
                                    std::ostringstream os;
                                    os << "Failed to parse certificate from cross-certificate found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                                    LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                                }

                                freeEncodeBuffer(&ctxt);
                                memFreeAll(&ctxt);
                                delete[] buf;
                            }
                        }
                        catch(CPKIFException&)
                        {
                            //EXCEPTION DELETION
                            //we don't need to pass this exception up - we should log the fact
                            //that a busted (or non) cert was found and keeping sifting through
                            //the remaining values, if any
                            //delete e;

                            //ignore entries that do not parse
                            std::ostringstream os;
                            os << "Failed to parse certificate from cross-certificate found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                            LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                        }

                        multiAttrIndex++;
                    }
                }
            }

            //inspect the next attribute
            ldap_memfree(tempAttrName); tempAttrName = NULL;
            tempAttrName = ldap_next_attribute(ldapStruct, curEntry, ber_temp);

        }while(NULL != tempAttrName);
    }
    catch(CPKIFException&)
    {
        //EXCEPTION DELETION
        //do nothing - we used these exceptions essentially as a goto
        //delete e;
    }
    catch(...)
    {
        CLEANUP;
        throw;
    }

    if(origSize != certList.size())
    {
        std::ostringstream os;
        os << "Found one or more certificates issued to: " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
        LOG_STRING_DEBUG(os.str().c_str(), thisComponent, 0, this);
    }
    else
    {
        std::ostringstream os;
        os << "Failed to find a certificate issued to: " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
        LOG_STRING_INFO(os.str().c_str(), thisComponent, 0, this);
    }

    CLEANUP;
}
void CPKIFLDAPRepository::GetCertificates(const CPKIFCertificatePtr& cert, CPKIFCertificateList& certList, PKIInfoSource source, PathBuildingDirection pbd)
{
    if(PBD_FORWARD == pbd)
    {
        _GetCertificates(cert->Issuer(), certList, source, pbd);
    }
    else
    {
        _GetCertificates(cert->Subject(), certList, source, pbd);
    }
        
    //_GetCertificates(cert->Subject(), certList, source, PBD_REVERSE);
}

bool IsNonDirName(
    const CPKIFGeneralNamePtr& gn)
{
    return CPKIFGeneralName::DIRECTORYNAME != gn->GetType();
}
void CPKIFLDAPRepository::GetCRLs(
    const CPKIFCertificatePtr& cert, 
    CPKIFCRLList& crlList,
    PKIInfoSource source)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if(NULL != binaryValuesPtr)\
    { ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;}\
    if(NULL != tempAttrName)\
    { ldap_memfree(tempAttrName);tempAttrName = NULL;}\
    if(NULL != ber_temp)\
    { ber_free(ber_temp, 0);ber_temp = NULL;}\
    if(NULL != results)\
    { ldap_msgfree(results); results = NULL;}\
} 

    LOG_STRING_DEBUG("CPKIFLDAPRepository::GetCRLs(const CPKIFCertificatePtr& cert, CPKIFCRLList& crlList, PKIInfoSource source)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    if(LOCAL == source)
    {
        LOG_STRING_DEBUG("Skipping CPKIFLDAPRepository - searching LOCAL sources only", thisComponent, 0, this);
        return;
    }

    size_t origSize = crlList.size();
    CPKIFNamePtr issDN = cert->Issuer();

    if(!m_impl->CheckNamespaces(issDN))
        return;

    CPKIFGeneralNameList nameList;
    CollectNamesFromCRLDP(cert, nameList);

    //we don't care about non-directory names in this handler
    CPKIFGeneralNameList::iterator newEnd = remove_if(nameList.begin(), nameList.end(), IsNonDirName);
    nameList.erase(newEnd, nameList.end());

    try
    {
        CPKIFGeneralNamePtr tmpGN(new CPKIFGeneralName(issDN));
        nameList.push_back(tmpGN);
    }
    catch(std::bad_alloc*)
    {
        //nothing has been allocated yet - no need to proceed
        return;
    }

    int ret = 0;

    LDAP* ldapStruct = NULL;
    LDAPMessage* results = NULL;    
    LDAPMessage* curEntry = NULL;       //does not need to be freed (per MSDN)
    BerElement *ber_temp = NULL;
    struct berval **binaryValuesPtr = NULL;
    struct berval *tmpPtr = NULL;

    const char* filter = "objectclass=*";
    char* tempAttrName = NULL;
    char* crlName = "certificateRevocationList;binary";
    char* arlName = "authorityRevocationList;binary";
    char* crlName2 = "certificateRevocationList";
    char* arlName2 = "authorityRevocationList";
    char* deltaName = "deltaRevocationList;binary";
    char* deltaName2 = "deltaRevocationList";

    //added delta name 12/8/2003
    char* attrsOfInterest[] = {crlName, arlName, crlName2, arlName2, deltaName, deltaName2, NULL};

    int multiAttrIndex = 0;

    ldapStruct = m_impl->ConnectAndBind(*m_impl->m_strHost, m_impl->m_nPort, *m_impl->m_strUsername, *m_impl->m_strPassword);
    if(NULL == ldapStruct)
    {
        if(!m_impl->m_bSuppressConnectionErrors)
        {
            std::ostringstream os;
            os << "Failed to open connection to " << *m_impl->m_strHost << " on port " << m_impl->m_nPort;
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_CONNECT_AND_BIND_FAILED, this)
        }
        else
            return;
    }

    CPKIFGeneralNameList::iterator pos;
    CPKIFGeneralNameList::iterator end = nameList.end();
    for(pos = nameList.begin(); pos != end; ++pos)
    {
        try
        {
            CPKIFNamePtr tmpName = (*pos)->directoryName();
            const char* tmpSubDN = tmpName->ToString();

            //turn on referral chasing (should be on by default but...)
            ldap_set_option(ldapStruct, LDAP_OPT_REFERRALS, LDAP_OPT_ON);

            //added 7/20/2004 -> raised to 100MB 11/17/2006
            const int c_nMaxCRLSize = 100000000;
            ldap_set_option(ldapStruct, LDAP_OPT_SIZELIMIT, &c_nMaxCRLSize);

            //retrieve the directory entry
            ret = ldap_search_s(ldapStruct, (char*)tmpSubDN, LDAP_SCOPE_BASE, (char *)filter, attrsOfInterest, 0, &results);
            if(0 != ret || NULL == results)
            {
                //exceptions are thrown simply to get us to the bottom of this function so cleanup can occur
                std::ostringstream os;
                os << "ldap_search_s failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                CLEANUP
                RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
            }

            curEntry = ldap_first_entry(ldapStruct, results);
            if(NULL == curEntry)
            {
                std::ostringstream os;
                os << "ldap_first_entry failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                CLEANUP
                RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
            }
            
            tempAttrName = ldap_first_attribute(ldapStruct, curEntry, &ber_temp);
            if(NULL == curEntry || NULL == tempAttrName)
            {
                std::ostringstream os;
                os << "ldap_first_attribute failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                CLEANUP
                RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
            }

            do
            {
                if(0 == stricmp(crlName, tempAttrName) || 0 == stricmp(arlName, tempAttrName) ||
                    0 == stricmp(crlName2, tempAttrName) || 0 == stricmp(arlName2, tempAttrName) ||
                    0 == stricmp(deltaName2, tempAttrName) || 0 == stricmp(deltaName, tempAttrName))
                {
                    multiAttrIndex = 0;
                    if(NULL != binaryValuesPtr)
                    {
                        ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;
                    }
                    binaryValuesPtr = ldap_get_values_len(ldapStruct, curEntry, tempAttrName);
                    const int entryCount = ldap_count_values_len(binaryValuesPtr);
                    if(0 == entryCount || NULL == binaryValuesPtr || NULL == binaryValuesPtr[multiAttrIndex])
                    {
                        throw CPKIFCacheException(thisComponent, -1);
                    }

                    while(multiAttrIndex < entryCount)
                    {
                        tmpPtr = binaryValuesPtr[multiAttrIndex];
                        if(NULL == tmpPtr)
                        {
                            break;
                        }

                        //bad_alloc caught by catch(...); cleanup executed
                        CPKIFCRLPtr tmpCRL(new CPKIFCRL());
                        try
                        {
                            
                            //create cert using tmpPtr->bv_val, tmpPtr->bv_len
                            tmpCRL->Decode((unsigned char*)tmpPtr->bv_val, tmpPtr->bv_len);

                            GottaMatch<CPKIFCRLPtr> gm;
                            gm.SetRHS(tmpCRL);
                            if(crlList.end() == find_if(crlList.begin(), crlList.end(), gm))
                                crlList.push_back(tmpCRL);
                        }
                        catch(CPKIFException&)
                        {
                            //EXCEPTION DELETION
                            //we don't need to pass this exception up - we should log the fact
                            //that a busted (or non) crl was found and keeping sifting through
                            //the remaining values, if any
                            //delete e;

                            //ignore entries that fail to parse
                            std::ostringstream os;
                            os << "Failed to parse CRL found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                            LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                        }


                        multiAttrIndex++;
                    }
                }

                ldap_memfree(tempAttrName); tempAttrName = NULL;
                tempAttrName = ldap_next_attribute(ldapStruct, curEntry, ber_temp);
            }while(NULL != tempAttrName);
        }
        catch(CPKIFException&)
        {
            //EXCEPTION DELETION
            //do nothing except clean up loop variables - we used these exceptions essentially as a goto
            CLEANUP;
            //delete e;
        }
        catch(...)
        {
            CLEANUP;
            throw;
        }

        if(origSize != crlList.size())
        {
            std::ostringstream os;
            //added ->string after issDN 12/3/2003
            os << "Found one or more CRLs issued by: " << issDN->ToString() << " on host " << m_impl->m_strHost->c_str();
            LOG_STRING_DEBUG(os.str().c_str(), thisComponent, 0, this);
        }
        else
        {
            std::ostringstream os;
            //added ->string after issDN 12/3/2003
            os << "Failed to find a CRL issued by: " << issDN->ToString() << " on host " << m_impl->m_strHost->c_str();
            LOG_STRING_INFO(os.str().c_str(), thisComponent, 0, this);
        }

        CLEANUP;
    }
}

std::string GetLdapUriMultiAttr(
    const char* host,
    int port,
    const char* entryDn,
    vector<string>& attributeList)
{
    ostringstream unescapedUriStream;
    unescapedUriStream << entryDn;
    std::string unescapedUriString = unescapedUriStream.str();

    int strLen = 0;
    try 
    {
        strLen = numeric_cast<int>(unescapedUriString.length());
    }
    catch(bad_numeric_cast &) 
    {
        throw CPKIFException(TOOLKIT_CACHE, COMMON_INVALID_INPUT, "Str length is an impossibly long number.");
    }

    char* fromCurl = curl_escape(unescapedUriString.c_str(), strLen);

    ostringstream escapedUriStream;

    escapedUriStream << "ldap://" << host << ":" << port << "/" << fromCurl << "?";

    if(fromCurl)
        curl_free(fromCurl);
    
    vector<string>::iterator pos;
    vector<string>::iterator end = attributeList.end();
    for(pos = attributeList.begin(); pos != end; ++pos)
    {
        if(pos != end-1)
            escapedUriStream << *pos << ",";
        else
            escapedUriStream << *pos;
    }

    std::string escapedUriString = escapedUriStream.str();
    return escapedUriString;
}
std::string GetLdapUri(
    const char* host,
    int port,
    const char* entryDn,
    const char* attribute)
{
    ostringstream unescapedUriStream;
    unescapedUriStream << entryDn;
    std::string unescapedUriString = unescapedUriStream.str();

    int strLen = 0;
    try 
    {
        strLen = numeric_cast<int>(unescapedUriString.length());
    }
    catch(bad_numeric_cast &) 
    {
        throw CPKIFException(TOOLKIT_CACHE, COMMON_INVALID_INPUT, "Str length is an impossibly long number.");
    }


    char* fromCurl = curl_escape(unescapedUriString.c_str(), strLen);

    ostringstream escapedUriStream;

    escapedUriStream << "ldap://" << host << ":" << port << "/" << fromCurl << "?" << attribute;

    if(fromCurl)
        curl_free(fromCurl);

    std::string escapedUriString = escapedUriStream.str();
    return escapedUriString;
}
void CPKIFLDAPRepository::GetCRLSources(
    const CPKIFCertificatePtr& cert, 
    CPKIFCrlSourceList& crlList,
    PKIInfoSource source
)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if(NULL != binaryValuesPtr)\
    { ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;}\
    if(NULL != tempAttrName)\
    { ldap_memfree(tempAttrName);tempAttrName = NULL;}\
    if(NULL != ber_temp)\
    { ber_free(ber_temp, 0);ber_temp = NULL;}\
    if(NULL != results)\
    { ldap_msgfree(results); results = NULL;}\
} 

    LOG_STRING_DEBUG("CPKIFLDAPRepository::GetCRLs(const CPKIFCertificatePtr& cert, CPKIFCRLList& crlList, PKIInfoSource source)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    if(LOCAL == source)
    {
        LOG_STRING_DEBUG("Skipping CPKIFLDAPRepository - searching LOCAL sources only", thisComponent, 0, this);
        return;
    }

    size_t origSize = crlList.size();
    CPKIFNamePtr issDN = cert->Issuer();

    if(!m_impl->CheckNamespaces(issDN))
        return;

    CPKIFGeneralNameList nameList;
    CollectNamesFromCRLDP(cert, nameList);

    //we don't care about non-directory names in this handler
    CPKIFGeneralNameList::iterator newEnd = remove_if(nameList.begin(), nameList.end(), IsNonDirName);
    nameList.erase(newEnd, nameList.end());

    try
    {
        CPKIFGeneralNamePtr tmpGN(new CPKIFGeneralName(issDN));
        GottaMatch<CPKIFGeneralNamePtr> gm;
        gm.SetRHS(tmpGN);
        if(nameList.end() == find_if(nameList.begin(), nameList.end(), gm))
            nameList.push_back(tmpGN);
    }
    catch(std::bad_alloc*)
    {
        //nothing has been allocated yet - no need to proceed
        return;
    }

    //Find self
    CPKIFLDAPRepositoryPtr thisSP;
    std::vector<IPKIFMediator*>::iterator mPos = this->m_parents.begin();
    std::vector<IPKIFMediator*>::iterator mEnd = this->m_parents.end();
    for(;mPos != mEnd; ++mPos)
    {
        CPKIFCacheMediator2* cm =dynamic_cast<CPKIFCacheMediator2*>(*mPos);
        if(cm)
        {
            std::vector<IPKIFColleaguePtr> cl;
            cm->GetColleagues(cl);

            std::vector<IPKIFColleaguePtr>::iterator cPos;
            std::vector<IPKIFColleaguePtr>::iterator cEnd = cl.end();
            for(cPos = cl.begin(); cPos != cEnd; ++cPos)
            {
                IPKIFColleague* tmpP = &(*(*cPos));
                if(this == dynamic_cast<CPKIFLDAPRepository*>(tmpP))
                {
                    thisSP = boost::dynamic_pointer_cast<CPKIFLDAPRepository, IPKIFColleague>(*cPos);
                    break;
                }
            }
        }
    }

    vector<std::string> attrsOfInterest;
    attrsOfInterest.push_back("certificateRevocationList;binary");
    attrsOfInterest.push_back("authorityRevocationList;binary");
    attrsOfInterest.push_back("certificateRevocationList");
    attrsOfInterest.push_back("authorityRevocationList");
    attrsOfInterest.push_back("deltaRevocationList;binary");
    attrsOfInterest.push_back("deltaRevocationList");

    for(CPKIFGeneralNameList::iterator pos = nameList.begin(); pos != nameList.end(); ++pos)
    {
        CPKIFNamePtr tmpDN = (*pos)->directoryName();

        std::string uri1 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpDN->ToString(), attrsOfInterest);
        if(!UriAlreadyInList(crlList, uri1))
        {
            CPKIFLdapCrlNodePtr newNode(new CPKIFLdapCrlNode(thisSP, tmpDN, attrsOfInterest));
            newNode->AddSource(uri1);
            crlList.push_back(newNode);
        }
    }
}

class CaseInsensitiveFind
{
public:
    bool operator()(const string& t);
    void SetRHS(const string& rhs) {m_rhs = rhs;}
private:
    string m_rhs;
};
bool CaseInsensitiveFind::operator()(const string& t)
{
    return 0 == stricmp(m_rhs.c_str(), t.c_str());      
}
void CPKIFLDAPRepository::GetCertificates(const CPKIFNamePtr& issDN, std::vector<std::string>& attributes, CPKIFCertificateNodeList& certNodeList, PathBuildingDirection pbd)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if(NULL != binaryValuesPtr)\
    { ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;}\
    if(NULL != tempAttrName)\
    { ldap_memfree(tempAttrName);tempAttrName = NULL;}\
    if(NULL != ber_temp)\
    { ber_free(ber_temp, 0);ber_temp = NULL;}\
    if(NULL != results)\
    { ldap_msgfree(results); results = NULL;}\
    if(attrsOfInterest) {delete attrsOfInterest; attrsOfInterest = NULL;}\
} 

    LOG_STRING_DEBUG("CPKIFLDAPRepository::GetCertificates(const CPKIFNamePtr& entry, std::vector<std::string>& attributes, CPKIFCertificateNodeList& certNodeList)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    if(!m_impl->CheckNamespaces(issDN))
        return;

    size_t origSize = certNodeList.size();

    int ret = 0;

    LDAP* ldapStruct = NULL;
    LDAPMessage* results = NULL;    
    LDAPMessage* curEntry = NULL;       //does not need to be freed (per MSDN)
    BerElement *ber_temp = NULL;
    struct berval **binaryValuesPtr = NULL;
    struct berval *tmpPtr = NULL;

    const char* filter = "objectclass=*";
    char* certAttrName = "caCertificate;binary";
    char* crossCertAttrName = "crosscertificatepair;binary";
    char* certAttrName2 = "caCertificate";
    char* crossCertAttrName2 = "crosscertificatepair";
    char* userCertAttrName = "userCertificate"; //added these two to permit discovery of crl issuers 7/18
    char* userCertAttrName2 = "userCertificate;binary";
    char* tempAttrName = NULL;

    //added delta name 12/8/2003
    char** attrsOfInterest = new char*[attributes.size()+1];

    std::vector<std::string>::iterator pos;
    std::vector<std::string>::iterator end = attributes.end();
    int ii = 0;
    for(pos = attributes.begin(); pos != end; ++pos, ++ii)
        attrsOfInterest[ii] = const_cast<char*>((*pos).c_str());

    attrsOfInterest[ii] = NULL;

    int multiAttrIndex = 0;

    std::string strSource = *m_impl->m_strHost;
    ldapStruct = m_impl->ConnectAndBind(*m_impl->m_strHost, m_impl->m_nPort, *m_impl->m_strUsername, *m_impl->m_strPassword);
    if(NULL == ldapStruct)
    {
        if(!m_impl->m_bSuppressConnectionErrors)
        {
            std::ostringstream os;
            os << "Failed to connect and bind to LDAP directory on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_CONNECT_AND_BIND_FAILED, this)
        }
        else
            return;
    }

    try
    {
        const char* tmpSubDN = issDN->ToString();

        //turn on referral chasing (should be on by default but...)
        ldap_set_option(ldapStruct, LDAP_OPT_REFERRALS, LDAP_OPT_ON);

        //1MB ought to do for certs
        const int c_nMaxCertSize = 1000000;
        ldap_set_option(ldapStruct, LDAP_OPT_SIZELIMIT, &c_nMaxCertSize);

        //retrieve the directory entry
        ret = ldap_search_s(ldapStruct, (char*)tmpSubDN, LDAP_SCOPE_BASE, (char *)filter, attrsOfInterest, 0, &results);
        if(0 != ret || NULL == results)
        {
            //exceptions are thrown simply to get us to the bottom of this function so cleanup can occur
            std::ostringstream os;
            os << "ldap_search_s failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }

        curEntry = ldap_first_entry(ldapStruct, results);
        if(NULL == curEntry)
        {
            std::ostringstream os;
            os << "ldap_first_entry failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }
        
        tempAttrName = ldap_first_attribute(ldapStruct, curEntry, &ber_temp);
        if(NULL == curEntry || NULL == tempAttrName)
        {
            std::ostringstream os;
            os << "ldap_first_attribute failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }

        do
        {
            CaseInsensitiveFind csf;
            csf.SetRHS(tempAttrName);
            if(attributes.end() != find_if(attributes.begin(), attributes.end(), csf))
            {
                //compare the current attribute name to the certificate attribute name
                if(0 == stricmp(certAttrName, tempAttrName) || 0 == stricmp(userCertAttrName, tempAttrName) ||
                    0 == stricmp(certAttrName2, tempAttrName) || 0 == stricmp(userCertAttrName2, tempAttrName))
                {
                    multiAttrIndex = 0;
                    if(NULL != binaryValuesPtr)
                    {
                        ldap_value_free_len(binaryValuesPtr); binaryValuesPtr = NULL;
                    }

                    binaryValuesPtr = ldap_get_values_len(ldapStruct, curEntry, tempAttrName);
                    const int entryCount = ldap_count_values_len(binaryValuesPtr);
                    if(0 != entryCount && NULL != binaryValuesPtr && NULL != binaryValuesPtr[multiAttrIndex])
                    {
                        //iterate over all of the values
                        while(multiAttrIndex < entryCount)
                        {
                            tmpPtr = binaryValuesPtr[multiAttrIndex];
                            if(NULL == tmpPtr)
                            {
                                break;
                            }

                            //bad_alloc caught by catch(...); cleanup executed
                            CPKIFCertificatePtr tmpCert(new CPKIFCertificate()); 
                            try
                            {
                                //create cert using tmpPtr->bv_val, tmpPtr->bv_len
                                tmpCert->Decode((unsigned char*)tmpPtr->bv_val, tmpPtr->bv_len);                        

                                CPKIFCertificateNodeEntryPtr tmpCertNode(new CPKIFCertificateNodeEntry(tmpCert));
                                GottaMatch<CPKIFCertificateNodeEntryPtr> gm;
                                gm.SetRHS(tmpCertNode);
                                if(certNodeList.end() == find_if(certNodeList.begin(), certNodeList.end(), gm))
                                {
                                    std::string uri1 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpSubDN, attributes);

                                    vector<string> tmpAttrsOfInterest;
                                    tmpAttrsOfInterest.push_back(tempAttrName);
                                    std::string uri2 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpSubDN, tmpAttrsOfInterest);

                                    //tmpCertNode->AddSource(strSource);
                                    tmpCertNode->AddSource(uri1);
                                    tmpCertNode->AddSource(uri2);
                                    tmpCertNode->SetSource(REMOTE);
                                    tmpCertNode->SetState(PAS_AVAILABLE);
                                    certNodeList.push_back(tmpCertNode);
                                }
                            }
                            catch(CPKIFException&)
                            {
                                //EXCEPTION DELETION
                                //we don't need to pass this exception up - we should log the fact
                                //that a busted (or non) cert was found and keeping sifting through
                                //the remaining values, if any
                                //delete e;

                                //ignore entries that fail to parse
                                std::ostringstream os;
                                os << "Failed to parse certificate found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                                LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                            }

                            multiAttrIndex++;
                        }
                    }
                }
                else if(0 == stricmp(crossCertAttrName, tempAttrName) || 0 == stricmp(crossCertAttrName2, tempAttrName))
                {
                    multiAttrIndex = 0;
                    if(NULL != binaryValuesPtr)
                    {
                        ldap_value_free_len(binaryValuesPtr); binaryValuesPtr = NULL;
                    }
                    binaryValuesPtr = ldap_get_values_len(ldapStruct, curEntry, tempAttrName);
                    const int entryCount = ldap_count_values_len(binaryValuesPtr);
                    if(0 != entryCount && NULL != binaryValuesPtr && NULL != binaryValuesPtr[multiAttrIndex])
                    {
                        while(multiAttrIndex < entryCount)
                        {
                            tmpPtr = binaryValuesPtr[multiAttrIndex];
                            if(NULL == tmpPtr)
                            {
                                break;
                            }

                            try
                            {
                                CACASNWRAPPER_CREATE(CACX509V3CertificatePair, objPDU);
                                objPDU.Decode((unsigned char*)tmpPtr->bv_val, tmpPtr->bv_len);

                                if((objPDU->m.forwardPresent && PBD_FORWARD == pbd) ||
                                    (objPDU->m.reversePresent && PBD_REVERSE == pbd))
                                {
                                    //bad_alloc caught by catch(...); cleanup executed
                                    CPKIFCertificatePtr tmpCert(new CPKIFCertificate);

                                    //bad_alloc caught by catch(...); cleanup executed
                                    unsigned char* buf = new unsigned char[tmpPtr->bv_len];

                                    OOCTXT ctxt;
                                    initContext (&ctxt);
                                    setBEREncBufPtr(&ctxt, buf, tmpPtr->bv_len);
                                    if(objPDU->m.forwardPresent && PBD_FORWARD == pbd)
                                        BEREncCACX509V3Certificate(&ctxt, &objPDU->forward, ASN1EXPL);
                                    else if(objPDU->m.reversePresent && PBD_REVERSE == pbd)
                                        BEREncCACX509V3Certificate(&ctxt, &objPDU->reverse, ASN1EXPL);

                                    try
                                    {
                                        int iCertLen = 0;
                                        try 
                                        {
                                            iCertLen = numeric_cast<int>(ctxt.buffer.size - ctxt.buffer.byteIndex - 1);
                                        }
                                        catch(bad_numeric_cast &) 
                                        {
                                            throw CPKIFException(TOOLKIT_CACHE, COMMON_INVALID_INPUT, "Certificate size is larger than maximum integer size.");
                                        }

                                        tmpCert->Decode(ctxt.buffer.data + ctxt.buffer.byteIndex, iCertLen);

                                        CPKIFCertificateNodeEntryPtr tmpCertNode(new CPKIFCertificateNodeEntry(tmpCert));
                                        GottaMatch<CPKIFCertificateNodeEntryPtr> gm;
                                        gm.SetRHS(tmpCertNode);
                                        if(certNodeList.end() == find_if(certNodeList.begin(), certNodeList.end(), gm))
                                        {
                                            std::string uri1 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpSubDN, attributes);

                                            vector<string> tmpAttrsOfInterest;
                                            tmpAttrsOfInterest.push_back(tempAttrName);
                                            std::string uri2 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpSubDN, tmpAttrsOfInterest);

                                            tmpCertNode->AddSource(uri1);
                                            tmpCertNode->AddSource(uri2);
                                            //tmpCertNode->AddSource(strSource);
                                            tmpCertNode->SetSource(REMOTE);
                                            tmpCertNode->SetState(PAS_AVAILABLE);
                                            certNodeList.push_back(tmpCertNode);
                                        }
                                    }
                                    catch(CPKIFException&)
                                    {
                                        //EXCEPTION DELETION
                                        //we don't need to pass this exception up - we should log the fact
                                        //that a busted (or non) cert was found and keeping sifting through
                                        //the remaining values, if any
                                        //delete e;

                                        //ignore entries that fail to parse
                                        std::ostringstream os;
                                        os << "Failed to parse certificate from cross-certificate found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                                        LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                                    }

                                    freeEncodeBuffer(&ctxt);
                                    memFreeAll(&ctxt);
                                    delete[] buf;
                                }
                            }
                            catch(CPKIFException&)
                            {
                                //EXCEPTION DELETION
                                //we don't need to pass this exception up - we should log the fact
                                //that a busted (or non) cert was found and keeping sifting through
                                //the remaining values, if any
                                //delete e;

                                //ignore entries that do not parse
                                std::ostringstream os;
                                os << "Failed to parse certificate from cross-certificate found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                                LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                            }

                            multiAttrIndex++;
                        }
                    }
                }
            }

            ldap_memfree(tempAttrName); tempAttrName = NULL;
            tempAttrName = ldap_next_attribute(ldapStruct, curEntry, ber_temp);
        }while(NULL != tempAttrName);
    }
    catch(CPKIFException&)
    {
        //EXCEPTION DELETION
        //do nothing except clean up loop variables - we used these exceptions essentially as a goto
        CLEANUP;
        //delete e;
    }
    catch(...)
    {
        CLEANUP;
        throw;
    }

    if(origSize != certNodeList.size())
    {
        std::ostringstream os;
        //added ->string after issDN 12/3/2003
        os << "Found one or more certificates issued to: " << issDN->ToString() << " on host " << m_impl->m_strHost->c_str();
        LOG_STRING_DEBUG(os.str().c_str(), thisComponent, 0, this);
    }
    else
    {
        std::ostringstream os;
        //added ->string after issDN 12/3/2003
        os << "Failed to find a CRL issued by: " << issDN->ToString() << " on host " << m_impl->m_strHost->c_str();
        LOG_STRING_INFO(os.str().c_str(), thisComponent, 0, this);
    }

    CLEANUP;
}
void CPKIFLDAPRepository::GetCRLs(const CPKIFNamePtr& issDN, std::vector<std::string>& attributes, CPKIFCRLNodeList& crlList)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if(NULL != binaryValuesPtr)\
    { ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;}\
    if(NULL != tempAttrName)\
    { ldap_memfree(tempAttrName);tempAttrName = NULL;}\
    if(NULL != ber_temp)\
    { ber_free(ber_temp, 0);ber_temp = NULL;}\
    if(NULL != results)\
    { ldap_msgfree(results); results = NULL;}\
} 

    LOG_STRING_DEBUG("CPKIFLDAPRepository::GetCRLs(const CPKIFNamePtr& entry, std::vector<std::string>& attributes, CPKIFCRLNodeList& crlList)", TOOLKIT_SR_LDAPREPOSITORY, 0, this);

    size_t origSize = crlList.size();

    int ret = 0;

    LDAP* ldapStruct = NULL;
    LDAPMessage* results = NULL;    
    LDAPMessage* curEntry = NULL;       //does not need to be freed (per MSDN)
    BerElement *ber_temp = NULL;
    struct berval **binaryValuesPtr = NULL;
    struct berval *tmpPtr = NULL;

    const char* filter = "objectclass=*";
    char* tempAttrName = NULL;

    //added delta name 12/8/2003
    char** attrsOfInterest = new char*[attributes.size()+1];

    if(!m_impl->CheckNamespaces(issDN))
        return;

    std::vector<std::string>::iterator pos;
    std::vector<std::string>::iterator end = attributes.end();
    int ii = 0;
    for(pos = attributes.begin(); pos != end; ++pos, ++ii)
        attrsOfInterest[ii] = const_cast<char*>((*pos).c_str());

    attrsOfInterest[attributes.size()] = 0x00;

    int multiAttrIndex = 0;

    ldapStruct = m_impl->ConnectAndBind(*m_impl->m_strHost, m_impl->m_nPort, *m_impl->m_strUsername, *m_impl->m_strPassword);
    if(NULL == ldapStruct)
    {
        if(!m_impl->m_bSuppressConnectionErrors)
        {
            std::ostringstream os;
            os << "Failed to open connection to " << *m_impl->m_strHost << " on port " << m_impl->m_nPort;
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_CONNECT_AND_BIND_FAILED, this)
        }
        else
            return;
    }

    try
    {
        const char* tmpSubDN = issDN->ToString();

        //turn on referral chasing (should be on by default but...)
        ldap_set_option(ldapStruct, LDAP_OPT_REFERRALS, LDAP_OPT_ON);

        //added 7/20/2004 -> raised to 100MB 11/17/2006
        const int c_nMaxCRLSize = 100000000;
        ldap_set_option(ldapStruct, LDAP_OPT_SIZELIMIT, &c_nMaxCRLSize);

        //retrieve the directory entry
        ret = ldap_search_s(ldapStruct, (char*)tmpSubDN, LDAP_SCOPE_BASE, (char *)filter, attrsOfInterest, 0, &results);
        if(0 != ret || NULL == results)
        {
            //exceptions are thrown simply to get us to the bottom of this function so cleanup can occur
            std::ostringstream os;
            os << "ldap_search_s failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }

        curEntry = ldap_first_entry(ldapStruct, results);
        if(NULL == curEntry)
        {
            std::ostringstream os;
            os << "ldap_first_entry failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }
        
        tempAttrName = ldap_first_attribute(ldapStruct, curEntry, &ber_temp);
        if(NULL == curEntry || NULL == tempAttrName)
        {
            std::ostringstream os;
            os << "ldap_first_attribute failed searching entry for  " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
            CLEANUP
            RAISE_CACHE_EXCEPTION(os.str().c_str(), thisComponent, CACHE_LDAP_ERROR, this)
        }

        do
        {
            if(attributes.end() != find(attributes.begin(), attributes.end(), tempAttrName))
            {
                multiAttrIndex = 0;
                if(NULL != binaryValuesPtr)
                {
                    ldap_value_free_len(binaryValuesPtr);binaryValuesPtr = NULL;
                }
                binaryValuesPtr = ldap_get_values_len(ldapStruct, curEntry, tempAttrName);
                const int entryCount = ldap_count_values_len(binaryValuesPtr);
                if(0 == entryCount || NULL == binaryValuesPtr || NULL == binaryValuesPtr[multiAttrIndex])
                {
                    throw CPKIFCacheException(thisComponent, -1);
                }

                while(multiAttrIndex < entryCount)
                {
                    tmpPtr = binaryValuesPtr[multiAttrIndex];
                    if(NULL == tmpPtr)
                    {
                        break;
                    }

                    //bad_alloc caught by catch(...); cleanup executed
                    CPKIFCRLPtr tmpCRL(new CPKIFCRL());
                    try
                    {
                        //create cert using tmpPtr->bv_val, tmpPtr->bv_len
                        tmpCRL->Decode((unsigned char*)tmpPtr->bv_val, tmpPtr->bv_len);

                        CPKIFCRLNodeEntryPtr tmpCRLNode(new CPKIFCRLNodeEntry(tmpCRL));
                        GottaMatch<CPKIFCRLNodeEntryPtr> gm;
                        gm.SetRHS(tmpCRLNode);
                        if(crlList.end() == find_if(crlList.begin(), crlList.end(), gm))
                        {
                            std::string uri1 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpSubDN, attributes);

                            vector<string> attrsOfInterest;
                            attrsOfInterest.push_back(tempAttrName);
                            std::string uri2 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpSubDN, attrsOfInterest);
                            tmpCRLNode->AddSource(uri1);
                            tmpCRLNode->AddSource(uri2);
                            crlList.push_back(tmpCRLNode);
                        }
                    }
                    catch(CPKIFException&)
                    {
                        //EXCEPTION DELETION
                        //we don't need to pass this exception up - we should log the fact
                        //that a busted (or non) crl was found and keeping sifting through
                        //the remaining values, if any
                        //delete e;

                        //ignore entries that fail to parse
                        std::ostringstream os;
                        os << "Failed to parse CRL found in entry for " << tmpSubDN << " on host " << m_impl->m_strHost->c_str();
                        LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this)
                    }

                    multiAttrIndex++;
                }
            }

            ldap_memfree(tempAttrName); tempAttrName = NULL;
            tempAttrName = ldap_next_attribute(ldapStruct, curEntry, ber_temp);
        }while(NULL != tempAttrName);
    }
    catch(CPKIFException&)
    {
        //EXCEPTION DELETION
        //do nothing except clean up loop variables - we used these exceptions essentially as a goto
        CLEANUP;
        //delete e;
    }
    catch(...)
    {
        CLEANUP;
        throw;
    }

    if(origSize != crlList.size())
    {
        std::ostringstream os;
        //added ->string after issDN 12/3/2003
        os << "Found one or more CRLs issued by: " << issDN->ToString() << " on host " << m_impl->m_strHost->c_str();
        LOG_STRING_DEBUG(os.str().c_str(), thisComponent, 0, this);
    }
    else
    {
        std::ostringstream os;
        //added ->string after issDN 12/3/2003
        os << "Failed to find a CRL issued by: " << issDN->ToString() << " on host " << m_impl->m_strHost->c_str();
        LOG_STRING_INFO(os.str().c_str(), thisComponent, 0, this);
    }

    CLEANUP;
}
void CPKIFLDAPRepository::GetCertificateSources(
    const CPKIFCertificatePtr& cert, 
    CPKIFCertificateSourceList& certs, 
    PathBuildingDirection pbd)
{
    vector<std::string> attrsOfInterest;
    attrsOfInterest.push_back("crosscertificatepair;binary");
    attrsOfInterest.push_back("crosscertificatepair");

    CPKIFNamePtr tmpDN;
    if(PBD_FORWARD == pbd)
    {
        tmpDN = cert->Issuer();
        attrsOfInterest.push_back("caCertificate;binary");
        attrsOfInterest.push_back("caCertificate");
    }
    else
        tmpDN = cert->Subject();

    if(!m_impl->CheckNamespaces(tmpDN))
        return;

    std::string uri1 = GetLdapUriMultiAttr(m_impl->m_strHost->c_str(), m_impl->m_nPort, tmpDN->ToString(), attrsOfInterest);
    //Find self
    CPKIFLDAPRepositoryPtr thisSP;
    std::vector<IPKIFMediator*>::iterator mPos = this->m_parents.begin();
    std::vector<IPKIFMediator*>::iterator mEnd = this->m_parents.end();
    for(;mPos != mEnd; ++mPos)
    {
        CPKIFCacheMediator2* cm =dynamic_cast<CPKIFCacheMediator2*>(*mPos);
        if(cm)
        {
            std::vector<IPKIFColleaguePtr> cl;
            cm->GetColleagues(cl);

            std::vector<IPKIFColleaguePtr>::iterator cPos;
            std::vector<IPKIFColleaguePtr>::iterator cEnd = cl.end();
            for(cPos = cl.begin(); cPos != cEnd; ++cPos)
            {
                IPKIFColleague* tmpP = &(*(*cPos));
                if(this == dynamic_cast<CPKIFLDAPRepository*>(tmpP))
                {
                    thisSP = dynamic_pointer_cast<CPKIFLDAPRepository, IPKIFColleague>(*cPos);
                    break;
                }
            }
        }
    }

    if(!UriAlreadyInList(certs, uri1))
    {
        CPKIFLdapCertNodePtr newNode(new CPKIFLdapCertNode(thisSP, tmpDN, attrsOfInterest));
        newNode->AddSource(uri1);
        certs.push_back(newNode);
    }
}
void CPKIFLDAPRepository::AddNamespace(CPKIFGeneralSubtreePtr& name)
{
    m_impl->m_namespaces.push_back(name);
}
CPKIFGeneralSubtreeList CPKIFLDAPRepository::GetNamespaces()
{
    return m_impl->m_namespaces;
}