CACOCSPChecker.cpp

Go to the documentation of this file.

#include "PKIFOCSPChecker.h"

#include "PKIFCRLInfo.h"
#include "SingleResponse.h"
#include "OID.h"
#include "Buffer.h"
#include "Certificate.h"
#include "TBSRequest.h"
#include "BasicOCSPResponse.h"
#include "PKIFOCSPInfo.h"
#include "CertID.h"
#include "Request.h"
#include "ResponderID.h"
#include "ResponseData.h"
#include "OCSPCertStatus.h"
#include "GeneralName.h"
#include "X509Extension.h"
#include "AuthorityInfoAccess.h"
#include "ResponseBytes.h"
#include "OCSPResponse.h"
#include "AlgorithmIdentifier.h"
#include "IPKIFCryptoRaw.h"
#include "SubjectKeyIdentifier.h"

#include "PKIFTime.h"
#include "ToolkitUtils.h"
#include "GottaMatch.h"
#include "PKIFFuncStorage.h"

#include "PKIFKeyMaterial.h"
#include "PKIFCertStatus.h"
#include "PKIFCertificatePath.h"
#include "PKIFPathSettings.h"
#include "PathResults.h"
#include "IPKIFPathBuild.h"
#include "IPKIFPathValidate.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFHashContext.h"
#include "IPKIFCryptoRawOperations.h"
#include "RevocationSource.h"

#include "OCSPException.h"
#include "PKIFOCSPErrors.h"
#include "PKIFPATHErrors.h"             //path errors

#include "SearchCriteria.h"
#include "SubjectPublicKeyInfo.h"
#include "AccessDescription.h"
#include "ExtendedKeyUsage.h"
#include "OCSPRequest.h"
#include "ASN1Helper.h"
#include "OCSP.h"
// Added during porting
#include "IPKIFHashContext.h"
#include "PKIFMediators.h"
#include "IPKIFNameAndKey.h"
#include "GeneralSubtree.h"

//#define _DEBUG_URI_DUMP 1
#ifdef _DEBUG_URI_DUMP
#include <fstream>
extern ofstream g_uriLogFile;
#endif
using namespace std;

void keyUsageChecker_Any(const CPKIFCertificateNodeEntryPtr& certNode, CPKIFPathValidationResults& results, CertificateType type);
void EKUChecker_OcspSigning(const CPKIFCertificateNodeEntryPtr& certNode, CPKIFPathValidationResults& results, CertificateType type);

CAC_API CPKIFOIDPtr g_adOCSP
    (new CPKIFOID(CPKIFStringPtr(new std::string("1.3.6.1.5.5.7.48.1"))));//id-pkix-ad-ocsp
CAC_API CPKIFOIDPtr g_ocspBasic
    (new CPKIFOID(CPKIFStringPtr(new std::string("1.3.6.1.5.5.7.48.1.1"))));//id-pkix-ocsp-basic
CAC_API CPKIFOIDPtr g_ocspNonce
    (new CPKIFOID(CPKIFStringPtr(new std::string("1.3.6.1.5.5.7.48.1.2"))));//id-pkix-ocsp-nonce
CAC_API CPKIFOIDPtr g_ocspNoCheck
    (new CPKIFOID(CPKIFStringPtr(new std::string("1.3.6.1.5.5.7.48.1.5"))));//id-pkix-ocsp-nocheck //corrected OID 8/23/2004




struct CPKIFOCSPCheckerImpl
{
    CPKIFOCSPChecker* m_parent;
    CPKIFOCSPCheckerImpl ()
    {
        m_parent = NULL;
        m_bRequireThisCert = false;
        m_port = 80;
        m_bCacheResponders = false;
    }
    CPKIFOCSPCheckerImpl (CPKIFOCSPChecker  *p) 
    {
        m_parent = p;
    }
    bool m_bGenerateNonce;
    bool m_bRequireNonceMatch;
    bool m_bMultiCertRequest;
    CPKIFStringPtr m_url;
    CPKIFStringPtr m_host;
    int m_port;
    bool m_bLocalConfig;
    bool m_bRequireThisCert;
    CPKIFCertificatePtr m_responderCert;

    CPKIFGeneralSubtreeList m_namespaces;
    CPKIFGeneralSubtreeList m_issuerNamespaces;
    bool CheckNamespaces(const CPKIFCertificatePtr& cert);
    bool CheckIssuerNamespaces(const CPKIFCertificatePtr& cert);

    CPKIFPathSettingsPtr m_settings;

    CPKIFCredentialPtr m_cred;

    void AddValidatedResponderCert(CPKIFCertificatePtr& cert);
    bool HasCertBeenValidated(CPKIFCertificatePtr& cert);
    vector<CPKIFCertificatePtr> m_validatedResponderCerts;
    bool m_bCacheResponders;

    //relocated these to path settings 7/18/2004 
//  CPKIFDurationPtr m_duration;
//  bool m_bRequireSufficientlyRecent;

    //----------------------------------------------------------------------------------------------------
    //private member functions
    //----------------------------------------------------------------------------------------------------
    bool ProcessResponse(CPKIFBufferPtr& bp, CPKIFBasicOCSPResponsePtr& basicOCSPResponse, CPKIFCertificatePtr& signersCert, 
                    int* error, CPKIFOCSPResponsePtr& response);

    //These three functions are logical "revocation sources".  it is possible to generate two revocations sources
    //in a call to the public interface CheckStatus or CheckStatusPath functions.  this can occur if there is
    //an error (or incomplete response) when consulting a local responder and success w/ a responder identified
    //by an AIA extension.  These functions are responsible for insuring that all cert status objects are populated
    //with an OCSP info object.
    bool CheckOCSPStatus_Combo(const char* host, int port, const char* object, const CPKIFCertificatePath& path, const char* url = NULL);
    bool CheckOCSPStatus_Local(const char* host, int port, const char* object, CPKIFCertificate& cert, 
        const IPKIFNameAndKey* issuersCert, CPKIFCertStatusPtr& certStatus, CPKIFPathSettingsPtr& ps, const char* url = NULL, const CPKIFCertificatePath* prevPath = NULL); //added path param 8/23/2004
    bool CheckOCSPStatus_URL(const char* url, CPKIFCertificate& cert, const IPKIFNameAndKey* issuersCert, CPKIFCertStatusPtr& certStatus, CPKIFPathSettingsPtr& ps, const CPKIFCertificatePath* prevPath = NULL); //added path param 8/23/2004

    //The remaining private functions are all utility in nature.

    //the following two functions submit a request, retrieve the response then perform basic checks on the response.
    bool CheckOCSPStatus(const char* host, int port, const char* object, CPKIFBufferPtr& ocspReq, 
                    CPKIFBasicOCSPResponsePtr& basicOCSPResponse, CPKIFCertificatePtr& signersCert, 
                    int* error, CPKIFOCSPResponsePtr& response, CPKIFPathSettingsPtr& ps, const char* url = NULL);

    //the following function searches an ocsp response for a specific cert.
    bool CheckCertStatus(CPKIFSingleResponseList& responses, const CPKIFCertificatePtr& ocspSignersCert,
                     const IPKIFNameAndKey* issuersCert, const CPKIFCertificate& targetCert, RevocationStatus& revStatus, 
                     CPKIFOCSPInfoPtr& ocspInfo, int* error, CPKIFPathSettingsPtr& ps);

    //the following functions verify signature on the response (including selection of signer's cert)
    CPKIFCertificatePtr CertChooser(CPKIFBasicOCSPResponse& basicOCSPResponse);
    bool VerifyBasicOCSPResponseSignature(CPKIFBasicOCSPResponse& basicOCSPResponse, CPKIFCertificatePtr& signersCert);

    //the following functions implement some of the basic checks
    bool CheckSignerAuth(const IPKIFNameAndKey* issuersCert, const CPKIFCertificate& signersCert);
    bool CheckTime(CPKIFSingleResponsePtr& sr, int* error, CPKIFPathSettingsPtr& ps);
    bool ValidatePath(CPKIFCertificatePtr& signersCert, int* error, const CPKIFCertificatePath* prevPath = NULL); //added path param 8/23/2004
};
void CPKIFOCSPCheckerImpl::AddValidatedResponderCert(
    CPKIFCertificatePtr& cert)
{
    if(!m_bCacheResponders)
        return;

    if(!HasCertBeenValidated(cert))
        m_validatedResponderCerts.push_back(cert);
}
bool CPKIFOCSPCheckerImpl::HasCertBeenValidated(
    CPKIFCertificatePtr& cert)
{
    if(!m_bCacheResponders)
        return false;

    GottaMatch<CPKIFCertificatePtr> gm;
    gm.SetRHS(cert);
    if(m_validatedResponderCerts.end() == find_if(m_validatedResponderCerts.begin(), m_validatedResponderCerts.end(), gm))
        return false;
    else
        return true;
}

bool CPKIFOCSPCheckerImpl::CheckNamespaces(const CPKIFCertificatePtr& cert)
{
    if(cert == (CPKIFCertificate*)NULL)
        return false;

    CPKIFNamePtr subjectName = cert->GetSubjectName();
    CPKIFGeneralSubtreeList::iterator pos;
    CPKIFGeneralSubtreeList::iterator end = m_namespaces.end();
    for(pos = m_namespaces.begin(); pos != end; ++pos)
    {
        if(CPKIFGeneralSubtree::MATCH == (*pos)->IsInSubtree(subjectName))
            return true;
    }

    //if we get here then either it's not a match (cause the list isn't empty)
    //or it is a match (cause the list is empty).  when the list is empty, we
    //accept all comers.
    return m_namespaces.empty();
}

bool CPKIFOCSPCheckerImpl::CheckIssuerNamespaces(const CPKIFCertificatePtr& cert)
{
    if(cert == (CPKIFCertificate*)NULL)
        return false;

    CPKIFNamePtr issuerName = cert->GetIssuerName();
    CPKIFGeneralSubtreeList::iterator pos;
    CPKIFGeneralSubtreeList::iterator end = m_issuerNamespaces.end();
    for(pos = m_issuerNamespaces.begin(); pos != end; ++pos)
    {
        if(CPKIFGeneralSubtree::MATCH == (*pos)->IsInSubtree(issuerName))
            return true;
    }

    //if we get here then either it's not a match (cause the list isn't empty)
    //or it is a match (cause the list is empty).  when the list is empty, we
    //accept all comers.
    return m_issuerNamespaces.empty();
}


void CPKIFOCSPChecker::SetCacheValidatedResponders(
    bool b)
{
    m_impl->m_bCacheResponders = b;
}
bool CPKIFOCSPChecker::GetCacheValidatedResponders()
{
    return m_impl->m_bCacheResponders;
}


CAC_API CPKIFOCSPChecker* MakeOCSPChecker()
{
    return new CPKIFOCSPChecker();
}
CAC_API void FreeOCSPChecker(
    CPKIFOCSPChecker* s)
{
    if(s)
    {
        delete s;
    }
}
//----------------------------------------------------------------------------------------------------
//
//  Non-member functions
//
//----------------------------------------------------------------------------------------------------
//If the following 2 functions are altered such that SHA1 is no longer used
//then the code below that creates the CertID objects MUST be altered to 
//include a different algorithm identifier.
CPKIFBufferPtr _HashIssuerName(
    const CPKIFCertificate& cert, 
    IPKIFColleague* m)
{
    LOG_STRING_DEBUG("_HashIssuerName", TOOLKIT_OCSP_CHECKER, 0, NULL);

    //get the necessary interface
    IPKIFCryptoMisc* cMisc = m->GetMediatorFromParent<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_MEDIATOR_MISSING,"IPKIFCryptoMisc interface was not available.");

    //get the issuer name from the cert
    CPKIFNamePtr issuerName = cert.Issuer();
    if(issuerName == (CPKIFName*)NULL)
        throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_INVALID_INPUT,"Invalid cert passed to issuer name hashing function");

    //encode it
    CPKIFBufferPtr tmp = issuerName->Encoded();

    //get a hash context
    IPKIFHashContext* hi = cMisc->HashInit(PKIFCRYPTO::SHA1);
    if(NULL == hi)
        throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_UNSUPPORTED_ALG,"");

    //allocate memory for hash result - this will be handed off to the buffer pointer below
    int hashResultLen = MAXHASH;
    unsigned char* hashResult = NULL;
    
    try
    {
        hashResult = new unsigned char[MAXHASH];
    }
    catch(std::bad_alloc& ba)
    {
        delete hi;
        throw ba;
    }

    try
    {
        cMisc->HashUpdate(hi, (unsigned char*)tmp->GetBuffer(), tmp->GetLength());
        cMisc->HashFinal(hi, hashResult, &hashResultLen);
    }
    catch(CPKIFException& e)
    {
        delete hi;
        delete[] hashResult;
        throw e;
    }
    delete hi;

    CPKIFBufferPtr issuerNameHash(new CPKIFBuffer(true, hashResult, hashResultLen));
    return issuerNameHash;
}
CPKIFBufferPtr _HashPublicKey(
    const IPKIFNameAndKey& cert, 
    IPKIFColleague* m)
{
    LOG_STRING_DEBUG("_HashPublicKey", TOOLKIT_OCSP_CHECKER, 0, NULL);

    //get the necessary interface
    IPKIFCryptoMisc* cMisc = m->GetMediatorFromParent<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_MEDIATOR_MISSING,"IPKIFCryptoMisc interface was not available.");

    //ASN1DynBitStr* key = cert.SubjectPublicKeyInfo()->rawKey();
    CPKIFBufferPtr key = cert.GetKey();
    if(key == (CPKIFBuffer*)NULL)
        throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_INVALID_INPUT,"Invalid cert passed to issuer name hashing function");

    //get a hash context
    IPKIFHashContext* hi = cMisc->HashInit(PKIFCRYPTO::SHA1);
    if(NULL == hi)
        throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_UNSUPPORTED_ALG,"");

    //allocate memory for hash result - this will be handed off to the buffer pointer below
    int hashResultLen = MAXHASH;
    unsigned char* hashResult = NULL;
    
    try
    {
        hashResult = new unsigned char[MAXHASH];
    }
    catch(std::bad_alloc& ba)
    {
        delete hi;
        throw ba;
    }

    try
    {
        //cMisc->HashUpdate(hi, (unsigned char*)key->data, key->numbits/8);
        cMisc->HashUpdate(hi, (unsigned char*)key->GetBuffer(), key->GetLength());
        cMisc->HashFinal(hi, hashResult, &hashResultLen);
    }
    catch(CPKIFException& e)
    {
        delete hi;
        delete[] hashResult;
        throw e;
    }
    delete hi;

    CPKIFBufferPtr issuerKeyHash(new CPKIFBuffer(true, hashResult, hashResultLen));
    return issuerKeyHash;
}
CPKIFBufferPtr _CreateSimpleOCSPRequest(
    //[in] A reference to CPKIFCertificate object which contain the certificate we what to find out status for
    const CPKIFCertificate& cert,
    //[in] A reference to CPKIFCertificate object which contains the issuer certificate
    const IPKIFNameAndKey* issuersCert,
    IPKIFColleague* m,
    CPKIFBufferPtr& nonce,
    bool generateNonce,
    
    CPKIFCredentialPtr& cred)
{
    LOG_STRING_DEBUG("_CreateSimpleOCSPRequest", TOOLKIT_OCSP_CHECKER, 0, NULL);

    //get hash of the issuer DN
    CPKIFBufferPtr issuerNameHash = _HashIssuerName(cert, m);

    //hash issuer's public key
    CPKIFBufferPtr issuerKeyHash = _HashPublicKey(*issuersCert, m);

    //get target cert's serial number
    CPKIFStringPtr targetSerialNumber(new std::string(cert.SerialNumber()));

    //prepare certID
    CPKIFCertIDPtr certID(new CPKIFCertID);
    certID->SetHashAlg(g_sha1AI);
    certID->SetIssuerNameHash(issuerNameHash);
    certID->SetIssuerKeyHash(issuerKeyHash);
    certID->SetSerialNumber(targetSerialNumber);

    //create a new request (we use no request extensions presently)
    CPKIFRequestPtr req(new CPKIFRequest);
    req->SetCertID(certID);

    //create a to-be-signed request the add the request to it
    CPKIFTBSRequestPtr tbsReq(new CPKIFTBSRequest);
    tbsReq->AddRequest(req);

    if(generateNonce)
        nonce = tbsReq->GetNonce();
    else
        tbsReq->SetGenerateNonce(false);

    //hand the to-be-signed request to the ocsp request then encode it
    CPKIFOCSPRequest ocspReq;
    ocspReq.SetRequest(tbsReq, cred, m->GetMediatorFromParent<IPKIFMediator>());

    return ocspReq.Encode();
}
CPKIFBufferPtr _CreateComplexOCSPRequest(
    const CPKIFCertificatePath& path, 
    IPKIFColleague* m, 
    CPKIFBufferPtr& nonce, 
    bool generateNonce, 
    //[in] A reference to a smart pointer to a CPKIFCredential object
    CPKIFCredentialPtr& cred)
{
    LOG_STRING_DEBUG("_CreateComplexOCSPRequest", TOOLKIT_OCSP_CHECKER, 0, NULL);

    //get list of certs that comprise the path
    CPKIFCertificateNodeList certPath;
    path.GetPath(certPath);

    //harvest the trust root cert
    IPKIFTrustAnchorPtr tr;
    path.GetTrustRoot(tr);
    IPKIFNameAndKeyPtr issuersCert = tr;

    //create a to-be-signed request
    CPKIFTBSRequestPtr tbsReq(new CPKIFTBSRequest);
    if(generateNonce)
        nonce = tbsReq->GetNonce();
    else
        tbsReq->SetGenerateNonce(false);

    //iterate over all certs in the path and prepare a request object for each
    CPKIFCertificateNodeList::iterator pathPos;
    CPKIFCertificateNodeList::iterator pathEnd = certPath.end();
    for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
    {
        CPKIFCertificatePtr cert = (*pathPos)->GetCert();
        CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();
        RevocationStatus rs = cs->GetRevocationStatus();
        if(NOT_CHECKED == rs)
        {
            //get hash of the issuer DN
            CPKIFBufferPtr issuerNameHash = _HashIssuerName(*cert, m);

            //hash issuer's public key
            CPKIFBufferPtr issuerKeyHash = _HashPublicKey(*issuersCert, m);

            //get target cert's serial number
            CPKIFStringPtr targetSerialNumber(new std::string(cert->SerialNumber()));

            //prepare certID
            CPKIFCertIDPtr certID(new CPKIFCertID);
            certID->SetHashAlg(g_sha1AI);
            certID->SetIssuerNameHash(issuerNameHash);
            certID->SetIssuerKeyHash(issuerKeyHash);
            certID->SetSerialNumber(targetSerialNumber);

            //create a new request (we use no request extensions presently)
            CPKIFRequestPtr req(new CPKIFRequest);
            req->SetCertID(certID);

            //add the request to the to-be-signed request collection
            tbsReq->AddRequest(req);
        }

        //prepare issuersCert for next loop
        issuersCert = cert;
    }

    //hand the to-be-signed request to the ocsp request then encode it
    CPKIFOCSPRequest ocspReq;
    ocspReq.SetRequest(tbsReq, cred, m->GetMediatorFromParent<IPKIFMediator>());

    return ocspReq.Encode();
}
bool _CertIDMatchesCert(
    CPKIFCertIDPtr& cid, 
    const CPKIFCertificate& cert, 
    IPKIFColleague* m)
{
    LOG_STRING_DEBUG("_CertIDMatchesCert", TOOLKIT_OCSP_CHECKER, 0, NULL);

    //get serial number from cert ID and certificate
    const char* cidSN = cid->GetSerialNumber();
    const char* certSN = cert.SerialNumber();

    //fail if either are NULL or if they do not match
    //reviewed 4/24 - added strlen
    if(NULL == cidSN || NULL == certSN || strlen(cidSN) != strlen(certSN) ||
        0 != stricmp(cidSN, certSN))
        return false;

    //generate a hash of the certificate's issuer and get pointer to issuer hash from cert ID
    CPKIFBufferPtr certHashBuf = _HashIssuerName(cert, m);
    CPKIFBufferPtr cidHashBuf = cid->GetIssuerNameHash();

    //fail if they do not match
    if(!(*certHashBuf == *cidHashBuf))
        return false;

    //if we get here then we have a match
    return true;
}
bool _MatchSignersCertAndResponderID(
    CPKIFBasicOCSPResponse& basicOCSPResponse, 
    CPKIFCertificatePtr& signersCert, 
    IPKIFColleague* m)
{
    LOG_STRING_DEBUG("_MatchSignersCertAndResponderID", TOOLKIT_OCSP_CHECKER, 0, NULL);

    CPKIFResponseDataPtr rdp = basicOCSPResponse.GetResponseData();
    CPKIFResponderIDPtr ridp = rdp->GetResponderID();

    switch(ridp->GetChoice())
    {
    case CPKIFResponderID::NAME:
        {
            CPKIFNamePtr name = ridp->GetName();
            return *name == *signersCert->Subject();
        }
        break;
    case CPKIFResponderID::KEYHASH:
        {
            CPKIFBufferPtr hashFromResponse = ridp->GetHash();
            CPKIFBufferPtr hashOfPublicKey = _HashPublicKey(*signersCert, m);
            return *hashFromResponse == *hashOfPublicKey;
        }
        break;
    default:
        return false;
    }
}

//----------------------------------------------------------------------------------------------------
//
//  Private member functions
//
//----------------------------------------------------------------------------------------------------
CPKIFCertificatePtr CPKIFOCSPCheckerImpl::CertChooser(
    CPKIFBasicOCSPResponse& basicOCSPResponse)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CertChooser", TOOLKIT_OCSP_CHECKER, 0, this);

    CPKIFCertificatePtr noCert;

    CPKIFResponseDataPtr rd = basicOCSPResponse.GetResponseData();
    CPKIFResponderIDPtr rid = rd->GetResponderID();
    CPKIFResponderID::ResponderIDType ridType = rid->GetChoice();

    //This function is used to select a certificate for use in verifying the signature on
    //an OCSP response.
    CPKIFCertificateList certs;
    basicOCSPResponse.GetCerts(certs);
    if(!certs.empty())
    {
        CPKIFNamePtr name;
        CPKIFBufferPtr hashFromResponse;
        if(CPKIFResponderID::NAME == ridType)
            name =  rid->GetName();
        else if(CPKIFResponderID::KEYHASH == ridType)
        {
            hashFromResponse = rid->GetHash();
        }

        CPKIFCertificateList::iterator pos;
        CPKIFCertificateList::iterator end = certs.end();
        for(pos = certs.begin(); pos != end; ++pos)
        {
            if(CPKIFResponderID::NAME == ridType && name != (CPKIFName*)NULL)
            {
                if(*name == *(*pos)->Subject())
                    return *pos;
            }
            else if(CPKIFResponderID::KEYHASH == ridType && hashFromResponse != (CPKIFBuffer*)NULL)
            {
                CPKIFBufferPtr hashOfPublicKey = _HashPublicKey(*(*pos), m_parent);
                if( *hashFromResponse == *hashOfPublicKey)
                    return *pos;
            }
            else
            {
                //give the front cert a shot - we should never get here anyway
                return certs.front();
            }
        }
    }
    else
    {
        if(CPKIFResponderID::NAME == ridType)
        {
            //look for TA - added 6/3/2004
            IPKIFTrustCache* trustCache = m_parent->GetMediatorFromParent<IPKIFTrustCache>();
            if(NULL != trustCache)
            {
                CPKIFNamePtr name = rid->GetName();

                IPKIFTrustAnchorList TAs;
                trustCache->GetTrustRoots(name, TAs);

                IPKIFTrustAnchorList::iterator taPos;
                IPKIFTrustAnchorList::iterator taEnd = TAs.end();
                for(taPos = TAs.begin(); taPos != taEnd; ++taPos)
                {
                    CPKIFCertificatePtr taCert = (*taPos)->GetCertificate();
                    if(taCert)
                        return taCert;
                }
            }

            //if we have a by Name responder ID then we can search for the certs
            //(if we have a key hash then we'll just fail to verify - sorry)
            IPKIFCertSearch* certSearch = m_parent->GetMediatorFromParent<IPKIFCertSearch>();
            if(NULL != certSearch)
            {
                CPKIFNamePtr name = rid->GetName();

                #ifdef _DEBUG
                        const char* nameString = name->ToString();
                #endif

                CPKIFNameBasedSearch nbs;
                nbs.SetName(name);
                certSearch->FindCertificates(&nbs, certs, ALL);

                if(!certs.empty())
                    return certs.front();
            }
        }
        else if(CPKIFResponderID::KEYHASH == ridType)
        {
            try
            {
                CPKIFBufferPtr keyHash = rid->GetHash();

                //IPKIFTrustCache* trustCache = m_parent->GetMediatorFromParent<IPKIFTrustCache>();
                //if(keyHash && NULL != trustCache)
                //{
                //  CPKIFNamePtr name = rid->GetName();

                //  IPKIFTrustAnchorList TAs;
                //  trustCache->GetTrustRoots(name, TAs);

                //  IPKIFTrustAnchorList::iterator taPos;
                //  IPKIFTrustAnchorList::iterator taEnd = TAs.end();
                //  for(taPos = TAs.begin(); taPos != taEnd; ++taPos)
                //  {
                //      CPKIFSubjectKeyIdentifierPtr skid = (*taPos)->GetKeyIdentifier();
                //      if(skid)
                //      {
                //          CPKIFBufferPtr skidBuf = skid->KeyIdentifier();
                //          if(skidBuf && (*skidBuf == *keyHash))
                //          {
                //              CPKIFCertificatePtr taCert = (*taPos)->GetCertificate();
                //              if(taCert)
                //                  return taCert;
                //              }
                //      }
                //  }
                //}

                //if we have a by Name responder ID then we can search for the certs
                //(if we have a key hash then we'll just fail to verify - sorry)
                IPKIFCertSearch* certSearch = m_parent->GetMediatorFromParent<IPKIFCertSearch>();
                if(keyHash && NULL != certSearch) 
                {
                    #ifdef _DEBUG
                            const unsigned char* nameString = keyHash->GetBuffer();
                    #endif

                    CPKIFKeyIDBasedSearch kibs;
                    kibs.SetKeyID(keyHash);
                    certSearch->FindCertificates(&kibs, certs, ALL);

                    if(!certs.empty())
                        return certs.front();
                }
            }
            catch(...)
            {
                //failed in our search by key ID, do
            }
        }
    }

    return noCert;
}
bool CPKIFOCSPCheckerImpl::VerifyBasicOCSPResponseSignature(
    CPKIFBasicOCSPResponse& basicOCSPResponse, 
    CPKIFCertificatePtr& signersCert)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::VerifyBasicOCSPResponseSignature", TOOLKIT_OCSP_CHECKER, 0, this);

    //get the ResponseData
    CPKIFResponseDataPtr responseData = basicOCSPResponse.GetResponseData();
    if(responseData == (CPKIFResponseData*)NULL)
        throw CPKIFException(m_parent->thisComponent,COMMON_INVALID_INPUT,"NULL response passed to response verification function");

    //get pointer to signature alg (should also identify hash alg)
    CPKIFAlgorithmIdentifierPtr sigAlg = basicOCSPResponse.GetSignatureAlg();
    if(sigAlg == (CPKIFAlgorithmIdentifier*)NULL)
        throw CPKIFException(m_parent->thisComponent,COMMON_INVALID_INPUT,"Response containing no signature algorithm passed to response verification function");

    //get a pointer to the signature
    CPKIFBufferPtr sig = basicOCSPResponse.GetSignature();
    if(sig == (CPKIFBuffer*)NULL)
        throw CPKIFException(m_parent->thisComponent,COMMON_INVALID_INPUT,"Response containing no signature passed to response verification function");

    //get pointers to necessary interfaces
    IPKIFCryptoMisc* cMisc = m_parent->GetMediatorFromParent<IPKIFCryptoMisc>();
    IPKIFCryptoRawOperations* crypto = m_parent->GetMediatorFromParent<IPKIFCryptoRawOperations>();
    if(NULL == cMisc || NULL == crypto)
        throw CPKIFException(m_parent->thisComponent,COMMON_MEDIATOR_MISSING,"One or both of the IPKIFCryptoRawOperations or IPKIFCryptoMisc interfaces was not available.");

    //setup hash alg
    PKIFCRYPTO::HASH_ALG ha;
    CPKIFOIDPtr anOID = sigAlg->oid();
    GetCACHashAlg(anOID, &ha); //GetCACHashAlg(sigAlg->oid(), &ha);

    //create a hash object
    unsigned char hashResult[MAXHASH];
    int hashResultLen = MAXHASH;
    IPKIFHashContext* h = cMisc->HashInit(ha);
    if(NULL == h)
        throw CPKIFException(m_parent->thisComponent,COMMON_UNSUPPORTED_ALG,"Response signed using unsupported hashing algorithm.");

    //get pointer to to-be-signed buffer
    CPKIFBufferPtr eRDP = responseData->toBeSigned();

    try
    {
        //hash the data
        cMisc->HashUpdate(h, (unsigned char*)eRDP->GetBuffer(), eRDP->GetLength());

        //get the result then destroy the hash context
        cMisc->HashFinal(h, hashResult, &hashResultLen);
    }
    catch(CPKIFException& e)
    {
        delete h;
        throw e;
    }
    delete h; h = NULL;

    //obtain a cert with which to verify the response
    CPKIFCertificatePtr cert = CertChooser(basicOCSPResponse);
    if(cert == (CPKIFCertificate*)NULL)
        return false;

    //setup a raw key material object...
    CPKIFKeyMaterial key;
    key.SetCertificate(cert->Encoded()->GetBuffer(), cert->Encoded()->GetLength());

    //then verify the signature
    if(!crypto->Verify(key, hashResult, ha, (unsigned char*)sig->GetBuffer(), sig->GetLength(), ha))
        return false;   

    //pass a pointer to the signer's cert back to the caller
    signersCert = cert;

    return true;
}

bool VerifyCertificateWithCryptoPP(CPKIFSubjectPublicKeyInfoPtr& spki, const CPKIFCertificate& subCert);

bool CPKIFOCSPCheckerImpl::CheckSignerAuth(
    const IPKIFNameAndKey* issuersCert,
    const CPKIFCertificate& signersCert)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckSignerAuth", TOOLKIT_OCSP_CHECKER, 0, this);

   //1. Matches a local configuration of OCSP signing authority for the
   //certificate in question; or
   //2. Is the certificate of the CA that issued the certificate in
   //question; or
   //3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage
   //extension and is issued by the CA that issued the certificate in
   //question."

    //1. if local config (i.e. a host and port specified via Setxxx methods)
    if(m_bLocalConfig)
    {
        if(m_responderCert == (CPKIFCertificate*)NULL)
            return true;
        else
        {
            if(m_bRequireThisCert)
            {
                if(signersCert == *m_responderCert)
                    return true;
                else
                    return false;
            }
            else
            {
                if(signersCert.SameDNSameKey(*m_responderCert))
                    return true;
                else
                    return false;
            }
        }
    }

    //2. if the OCSP signers cert is the cert issuers cert
    if(issuersCert->SameDNSameKey(signersCert))
        return true;

    IPKIFCryptoRawOperations* cRaw = m_parent->GetMediatorFromParent<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFOCSPException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface was not available");

    //3. if the OCSP signers cert is issued by the cert issuer and contain OCSP signing EKU
    CPKIFExtendedKeyUsagePtr eku = const_cast<CPKIFCertificate*>(&signersCert)->GetExtension<CPKIFExtendedKeyUsage>();
    if(eku != (CPKIFExtendedKeyUsage*) NULL)
    {
        bool ocspEKUPresent = false;
        //get list of EKUs
        vector<CPKIFOIDPtr> keyPurposeIDs;
        eku->KeyPurposeIDs(keyPurposeIDs);
        
        //search list for OCSP signing EKU
        GottaMatch<CPKIFOIDPtr> gm;
        gm.SetRHS(g_ocspSigningEKU);

        vector<CPKIFOIDPtr>::iterator end = keyPurposeIDs.end();
        if(end != find_if(keyPurposeIDs.begin(), keyPurposeIDs.end(), gm))
        {
            ocspEKUPresent = true;
            //return true;
        }

        IPKIFCryptoRaw* crypto = m_parent->GetMediatorFromParent<IPKIFCryptoRaw>();
        bool sigVerified = false;
        bool namesMatch = false;
        try
        {
            CPKIFSubjectPublicKeyInfoPtr spki = issuersCert->GetSubjectPublicKeyInfo();
            sigVerified = VerifyCertificateWithCryptoPP(spki, signersCert);

            //sigVerified = crypto->VerifyCertificate(*issAsCert, signersCert);

            if(*issuersCert->GetSubjectName() == *signersCert.Issuer())
                namesMatch = true;
        }
        catch(...)
        {
            return false;
        }

        if(ocspEKUPresent && sigVerified && namesMatch)
            return true;
    }

    return false;
}
/*
void CPKIFOCSPChecker::SetSufficientlyRecent(int seconds)
{
    m_duration->setSeconds(seconds);
}
void CPKIFOCSPChecker::SetRequireSufficientlyRecent(bool requireSufficientlyRecent)
{
    m_bRequireSufficientlyRecent = requireSufficientlyRecent;
}
*/
bool CPKIFOCSPCheckerImpl::CheckTime(
    CPKIFSingleResponsePtr& sr, 
    int* error, 
    CPKIFPathSettingsPtr& ps)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckTime", TOOLKIT_OCSP_CHECKER, 0, this);

    //5. The time at which the status being indicated is known to be
    //  correct (thisUpdate) is sufficiently recent.  
    CPKIFTimePtr curTime = ps->GetValidationTime();
    CPKIFDurationPtr duration = ps->GetDuration();
    bool requireRecent = ps->GetRequireSufficientlyRecent();
    CPKIFTimePtr sufficientlyRecent(new CPKIFTime(*curTime - *duration));
    CPKIFTimePtr thisUpdate = sr->GetThisUpdate();
    if(requireRecent && *thisUpdate < *sufficientlyRecent)
    {
        *error = OCSP_STATUS_NOT_SUFFICIENTLY_RECENT;
        return false;
    }

    //6. When available, the time at or before which newer information will
    //  be available about the status of the certificate (nextUpdate) is
    //  greater than the current time.
    CPKIFTimePtr nextUpdate = sr->GetNextUpdate();
    bool requireFresh = ps->GetRequireFreshRevocationData();
    if(nextUpdate != (CPKIFTime*)NULL)
    {
        if(requireFresh && *curTime > *nextUpdate)
        {
            *error = OCSP_NEXT_UPDATE_PASSED;
            return false;
        }
    }
    
    return true;
}
bool CPKIFOCSPCheckerImpl::CheckCertStatus(
    CPKIFSingleResponseList& responses, 
    const CPKIFCertificatePtr& ocspSignersCert,
    const IPKIFNameAndKey* issuersCert, 
    const CPKIFCertificate& targetCert, 
    RevocationStatus& revStatus, 
    CPKIFOCSPInfoPtr& ocspInfo, 
    int* error, 
    CPKIFPathSettingsPtr& ps)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckCertStatus", TOOLKIT_OCSP_CHECKER, 0, this);

    revStatus = NOT_CHECKED;

    *error = 0; //be optimistic

    //This function takes a vector of SingleResponses, the signer of the OCSPResponse that contained
    //the SingleResponses, an issuer cert and a target cert.  It searches the list of responses for
    //the target cert, determines if the ocsp signer is authorized, then determines the status.
    CPKIFSingleResponseList::iterator pos;
    CPKIFSingleResponseList::iterator end = responses.end();
    CPKIFSingleResponsePtr targetResponse;
    for(pos = responses.begin(); pos != end; ++pos)
    {
        //1. The certificate identified in a received response corresponds to
        //that which was identified in the corresponding request; (i.e. find the 
        //target cert in the list of responses)
        CPKIFCertIDPtr cid = (*pos)->GetCertID();
        if(_CertIDMatchesCert(cid, targetCert, m_parent))
        {
            targetResponse = *pos;
            break;
        }
    }

    if(targetResponse == (CPKIFSingleResponse*)NULL)
    {
        *error = OCSP_TARGET_RESPONSE_NOT_INCLUDED;
        return false;
    }

    //moved here from below so it gets returned in failure cases too
    //(like invalid time)
    ocspInfo->SetSingleResponse(targetResponse);

    //if OCSP signer is the target - return false (this prevents looping)
    if(*ocspSignersCert == targetCert)
    {
        *error = OCSP_RESPONDER_IS_TARGET;
        return false;
    }

    //4. found a response, check signer authorization
    if(!CheckSignerAuth(issuersCert, *ocspSignersCert))
    {
        ocspInfo->SetSingleResponse(targetResponse);
        *error = OCSP_RESPONDER_NOT_AUTHORIZED;
        return false;
    }

    std::vector<CPKIFX509ExtensionPtr> processedExts;
    if(targetResponse->AreThereAnyUnprocessedCriticalExtensions(processedExts))
    {
        *error = OCSP_UNPROCESSED_CRITICAL_EXTENSION;
        return false;
    }

    //check time
    if(!CheckTime(targetResponse, error, ps))
    {
        return false;
    }

    bool bDefinitiveAnswer = false;

    //check status (revocation status in cert status is ONLY updated here - 
    //until this point it should remain unknown)
    CPKIFOCSPCertStatusPtr cs = targetResponse->GetCertStatus();
    CPKIFOCSPCertStatus::CertStatusChoice choice = cs->GetChoice();
//  ocspInfo->SetSingleResponse(targetResponse);
    switch(choice)
    {
    case CPKIFOCSPCertStatus::GOOD:
        bDefinitiveAnswer = true;
        revStatus = NOT_REVOKED;
        break;
    case CPKIFOCSPCertStatus::REVOKED:
        {
        bDefinitiveAnswer = true;
        revStatus = REVOKED;
        }
        break;
    case CPKIFOCSPCertStatus::UNKNOWN:
    case CPKIFOCSPCertStatus::UNSET:    //this one shouldn't happen but might as well treat as unknown
        revStatus = NOT_CHECKED;
        *error = OCSP_UNKNOWN_CERT_STATUS;
        break;
    }

    return bDefinitiveAnswer;
}
void CPKIFOCSPChecker::SetPathSettings(
    CPKIFPathSettingsPtr& settings)
{
    m_impl->m_settings = settings;
}

//added two nonce flags and supporting code 6/9/2004
void CPKIFOCSPChecker::SetGenerateNonce(
    bool bGenerateNonce)
{
    m_impl->m_bGenerateNonce = bGenerateNonce;
}
bool CPKIFOCSPChecker::GetGenerateNonce()
{
    return m_impl->m_bGenerateNonce;
}
void CPKIFOCSPChecker::SetRequireNonceMatch(
    bool bRequireNonceMatch)
{
    m_impl->m_bRequireNonceMatch = bRequireNonceMatch;
}
bool CPKIFOCSPChecker::GetRequireNonceMatch()
{
    return m_impl->m_bRequireNonceMatch;
}

bool CPKIFOCSPCheckerImpl::ValidatePath(
    CPKIFCertificatePtr& signersCert, 
    int* error, 
    const CPKIFCertificatePath* prevPath)
{
    try
    {
        LOG_STRING_DEBUG("CPKIFOCSPChecker::ValidatePath", TOOLKIT_OCSP_CHECKER, 0, this);

        if(HasCertBeenValidated(signersCert))
        {
            *error = 0;
            return true;
        }

        //get pointer to necessary interfaces
        IPKIFPathValidate* pv = m_parent->GetMediatorFromParent<IPKIFPathValidate>();
        IPKIFPathBuild* pb = m_parent->GetMediatorFromParent<IPKIFPathBuild>();
        if(NULL == pv || NULL == pb)
            throw CPKIFException(m_parent->thisComponent,COMMON_MEDIATOR_MISSING,"One or both of the IPKIFPathValidate or IPKIFPathBuild interfaces was not available.");

        //declare a path and set the target cert
        CPKIFCertificatePath path;
        path.SetTarget(signersCert);

        //prepare path settings
        if(m_settings != (CPKIFPathSettings*)NULL)
        {
            CPKIFPathSettingsPtr copy(new CPKIFPathSettings(*m_settings));
            path.SetPathSettings(copy);
        }
        else
        {
            //otherwise declare default settings
            CPKIFPathSettingsPtr settings(new CPKIFPathSettings);
            path.SetPathSettings(m_settings);
        }

        //next determine if the revocation status was determined (and if not
        //if our minimum requirements were met)
        RevocationStatus minAcceptable = NOT_REVOKED;
        CPKIFX509ExtensionPtr ext;
        signersCert->GetExtensionByOID(*g_ocspNoCheck, ext);

        //if nocheck extension is present then relax requirement to check revocation
        //if(ext != (CPKIFX509Extension*)NULL)
        //{
        //  minAcceptable = NOT_CHECKED;
        //}

        //This do/while will iteratively call Build and Validate until all paths have been tried
        //or a good path has been found.  
        do
        {

            //try to build a path
            if(!pb->BuildPath(path))
            {
                *error = OCSP_PATH_BUILDING_FAILED;
                //return false;
                break;
            }

            //added this goo 8/23/2004 to ensure that we do not loop in broken PKIs
            //where a CA resorts to a subordinate for revocation status
            if(NULL != prevPath)
            {
                CPKIFCertificatePtr prevTarget;
                prevPath->GetTarget(prevTarget);

                if(prevTarget != (CPKIFCertificate*)NULL)
                {
                    CPKIFCertificateNodeList curPathNodeList;
                    path.GetPath(curPathNodeList);

                    CPKIFCertificateNodeList::iterator nodePos;
                    CPKIFCertificateNodeList::iterator nodeEnd = curPathNodeList.end();
                    for(nodePos = curPathNodeList.begin(); nodePos != nodeEnd; ++nodePos)
                    {
                        CPKIFCertificatePtr tmpCurCert = (*nodePos)->GetCert();
                        if(!(tmpCurCert == (CPKIFCertificate*)NULL) && *prevTarget == *tmpCurCert)
                        {
                            *error = OCSP_RESPONDER_NOT_AUTHORIZED;
                            //return false;
                            continue;
                        }
                    }
                }
            }

            //validate the path
            CPKIFPathValidationResults results;
            //CPKIFFuncStoragePtr empty;
            //Added key usage checker 3/25/2005  Armen
            CPKIFFuncStoragePtr keyUsageAny(new CPKIFFuncStorage(keyUsageChecker_Any));
            keyUsageAny->addFunc(EKUChecker_OcspSigning); //added EKU checker 7/13/2005 Armen
            pv->ValidatePath(path, results, keyUsageAny);
            
            //next see if basic checks passed and all signatures verified
            if((!results.GetBasicChecksSuccessfullyPerformed() ||
                !results.GetCertSignaturesVerified()) && !results.GetTargetIsTrustAnchor()) //added TA check 6/9/04
            {
                *error = OCSP_PATH_VALIDATION_FAILED;
                //return false;
                continue;
            }

            if(!ext)
            {
                //if there's no noCheck extension, then everything must be NOT_REVOKED (the value in minAcceptable)
                RevocationStatus rStatus = results.GetRevocationStatusMostSevere();
                if(rStatus >= minAcceptable)
                {
                    AddValidatedResponderCert(signersCert);
                    return true;
                }
                else
                {
                    *error = OCSP_PATH_VALIDATION_FAILED;
                    //return false;
                    continue;
                }
            }
            else
            {
                //the EE cert is allowed to be NOT_CHECKED, must walk the path
                CPKIFCertificateNodeList nodes;
                path.GetPath(nodes);

                CPKIFCertificateNodeList::iterator nodePos;
                CPKIFCertificateNodeList::iterator nodeEnd = nodes.end();
                for(nodePos = nodes.begin(); nodePos != nodeEnd; ++nodePos)
                {
                    CPKIFCertStatusPtr certStatusFromNode = (*nodePos)->GetStatus();

                    //skip the EE cert since noCheck applies to it
                    if(certStatusFromNode && (nodePos+1) != nodeEnd)
                    {
                        RevocationStatus rsFromNode = certStatusFromNode->GetRevocationStatus();
                        if(NOT_REVOKED != rsFromNode)
                        {
                            *error = OCSP_PATH_VALIDATION_FAILED;
                            //return false;     
                            continue;
                        }
                    }
                }

                if(0 == *error)
                {
                    AddValidatedResponderCert(signersCert);
                    return true;
                }
            }
        }while(1);
    }
    catch(CPKIFException& pe)
    {
        *error = pe.GetErrorCode();
        if(0 == *error)
            *error = COMMON_UNKNOWN_ERROR;
        return false;
    }
    
    return false;
}
bool CPKIFOCSPCheckerImpl::ProcessResponse(
    CPKIFBufferPtr& bp,
    CPKIFBasicOCSPResponsePtr& basicOCSPResponse, 
    CPKIFCertificatePtr& signersCert, 
    int* error, 
    CPKIFOCSPResponsePtr& response)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::ProcessResponse", TOOLKIT_OCSP_CHECKER, 0, this);

    //from RFC 2560 (manner in which each is met is described inline below with numeric references)
    //3.2  Signed Response Acceptance Requirements
    //  Prior to accepting a signed response as valid, OCSP clients SHALL
    //  confirm that:
    //  1. The certificate identified in a received response corresponds to
    //  that which was identified in the corresponding request;
    //  2. The signature on the response is valid;
    //  3. The identity of the signer matches the intended recipient of the
    //  request.
    //  4. The signer is currently authorized to sign the response.
    //  5. The time at which the status being indicated is known to be
    //  correct (thisUpdate) is sufficiently recent.
    //  6. When available, the time at or before which newer information will
    //  be available about the status of the certificate (nextUpdate) is
    //  greater than the current time.

    //First, parse the response
    CPKIFOCSPResponsePtr tmpOCSPResponse(new CPKIFOCSPResponse);
    tmpOCSPResponse->Decode(bp);

    //after parsing save the response to the outbound response parameter
    response = tmpOCSPResponse;

    //get the status of the protocol response
    OCSPResponseStatus ocspResponseStatus = tmpOCSPResponse->GetResponseStatus();
    if(successful != ocspResponseStatus)
    {
        *error = OCSP_RECEIVED_NON_SUCCESSFUL_RESPONSE;
        return false;
    }

    //then get the actual OCSP response from the protocol layer
    CPKIFResponseBytesPtr responseBytes = tmpOCSPResponse->GetResponseBytes();
    if(responseBytes == (CPKIFResponseBytes*)NULL)
    {
        *error = OCSP_NO_RESPONSE_BODY;
        return false;
    }

    //make sure it's a response type we support (currently basic only)
    if(!(*g_ocspBasic == responseBytes->GetResponseType()))
    {
        //unknown response type
        *error = OCSP_UNSUPPORTED_RESPONSE_TYPE;
        return false;
    }

    //get the encoded basic response
    CPKIFBufferPtr responseBuf = responseBytes->GetResponse();

    //decode the basic response
    CPKIFBasicOCSPResponsePtr tmpBasicOCSPResponse(new CPKIFBasicOCSPResponse);
    tmpBasicOCSPResponse->Decode(responseBuf);

    //2. The signature on the response is valid;
    //Before processing the response, verify the signature on the request
    //  (path validation is done elsewhere to prevent looping)
    if(!VerifyBasicOCSPResponseSignature(*tmpBasicOCSPResponse, signersCert))
    {
        *error = OCSP_RESPONSE_SIG_VERIFICATION_FAILED;
        return false;
    }

    //3. The identity of the signer matches the intended recipient of the request.
    //How, exactly, are we supposed to know who the "intended" recipient
    //  of the request was?  We don't.  Match the signer's cert info with
    //  the responderID instead
    if(!_MatchSignersCertAndResponderID(*tmpBasicOCSPResponse, signersCert, m_parent))
    {
        *error = OCSP_SIGNER_MISMATCH;
        return false;
    }

    basicOCSPResponse = tmpBasicOCSPResponse;
    return true;
}
bool CPKIFOCSPCheckerImpl::CheckOCSPStatus(
    const char* host, 
    int port,
    const char* object, 
    CPKIFBufferPtr& ocspReq, 
    CPKIFBasicOCSPResponsePtr& basicOCSPResponse, 
    CPKIFCertificatePtr& signersCert, 
    int* error, 
    CPKIFOCSPResponsePtr& response,
    CPKIFPathSettingsPtr& ps,
    const char* url)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckOCSPStatus", TOOLKIT_OCSP_CHECKER, 0, this);

    CPKIFBufferPtr bp;
    if(NULL != host)
        PostRequest(ocspReq, bp, host, port, object, PKIF_OCSP);
    else
    {
#ifdef _DEBUG_URI_DUMP
    if(!g_uriLogFile.is_open())
    {
        g_uriLogFile.open("_DEBUG_URI_DUMP_URILog.txt", ios::out);
    }
    DWORD __ticks = GetTickCount();

#ifdef _DEBUG_URI_DUMP
    g_uriLogFile << GetTickCount() - __ticks << " milliseconds elapsed retrieving from " << url << endl; 
#endif
#endif

        PostRequestURL(ocspReq, bp, url, PKIF_OCSP);
    }
    
    if(NULL == host && (bp == (CPKIFBuffer*)NULL || 0 == bp->GetLength()))
    {
        throw CPKIFOCSPException(TOOLKIT_OCSP_ASN, COMMON_URL_OPERATION_FAILED);
    }
    return ProcessResponse(bp, basicOCSPResponse, signersCert, error, response);
}
bool CPKIFOCSPChecker::ProcessOfflineResponse(
    CPKIFCertificatePtr& targetCert, 
    CPKIFCertificatePtr& targetCertIssuer, 
    bool responderIsTrusted, 
    CPKIFBufferPtr& ocspResponse, 
    CPKIFCertStatusPtr& targetCertStatus)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::ProcessOfflineResponse", TOOLKIT_OCSP_CHECKER, 0, this);

    bool bSomeNonDefinitive = false, bSomeDefinitive = false;
    bool bValPath = false;
    try
    {
        m_impl->m_bLocalConfig = responderIsTrusted;
        //m_bRequireSufficientlyRecent = false;

        CPKIFBasicOCSPResponsePtr basicOCSPResponse;
        CPKIFCertificatePtr signersCert;
        int error = 0;
        CPKIFOCSPResponsePtr response;
        m_impl->ProcessResponse(ocspResponse, basicOCSPResponse, signersCert, &error, response);

        CPKIFResponseDataPtr responseData = basicOCSPResponse->GetResponseData();

        std::vector<CPKIFX509ExtensionPtr> processedExts;

        //ignore nonces for offline processing
        CPKIFX509ExtensionPtr ext;
        responseData->GetExtensionByOID(*g_ocspNonce, ext);
        if(ext != (CPKIFBuffer*)NULL)
        {
            processedExts.push_back(ext);
        }

        if(responseData->AreThereAnyUnprocessedCriticalExtensions(processedExts))
        {
            error = OCSP_UNPROCESSED_CRITICAL_EXTENSION;
            return false;
        }

        //get the list of responses
        CPKIFSingleResponseList responses;
        responseData->GetResponses(responses);

        //grab a pointer to the current cert and current cert status objects
        if(targetCertStatus == (CPKIFCertStatus*)NULL)
        {
            CPKIFCertStatusPtr tmpCS(new CPKIFCertStatus);
            targetCertStatus = tmpCS; 
        }

        //declare some variables specific to this interation for use in setting up a revocation source
        RevocationStatus rs;
        CPKIFOCSPInfoPtr ocspInfo(new CPKIFOCSPInfo);

        ocspInfo->SetOCSPResponse(response); //set the response (single response is set in CheckCertStatus)

        //check response to determine the status of the current cert
        IPKIFNameAndKey* targetCertIssuerNK = dynamic_cast<IPKIFNameAndKey*>(targetCertIssuer.get());
        if(!m_impl->CheckCertStatus(responses, signersCert, targetCertIssuerNK, *targetCert, rs, ocspInfo, &error, m_impl->m_settings))
            bSomeNonDefinitive = true;
        else
            bSomeDefinitive = true;

        //add a revocation source to the cert status object
        targetCertStatus->AddRevocationSource(REVSOURCE_OCSP, REV_INFO_CAST(ocspInfo), rs, error);

        //set up the status info (and possibly diagnostic info) for the cert status object
        targetCertStatus->SetRevocationStatus(rs);
        if(REVOKED == rs)
            targetCertStatus->SetDiagnosticCode(PATH_CERT_REVOKED);
        else if (NOT_CHECKED == rs)
            targetCertStatus->SetDiagnosticCode(PATH_CERT_REVOCATION_STATUS_NOT_DETERMINED);
        else
            targetCertStatus->SetDiagnosticCode(0);

        if(bSomeDefinitive)
        {
            //if there are no definitive responses do we really care if there is a valid path?
            //this may help prevent looping when an OCSP server returns status on itself.
            bValPath = m_impl->ValidatePath(signersCert, &error);
        }
    }
    catch(CPKIFException&)
    {
    }

    //to return true we must have a definitive answer for each as well as a validated path
    return !bSomeNonDefinitive && bValPath;
}
bool CPKIFOCSPCheckerImpl::CheckOCSPStatus_Combo(
    const char* host, 
    int port, 
    const char* object, 
    const CPKIFCertificatePath& path, 
    const char* url )
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckOCSPStatus_Combo", TOOLKIT_OCSP_CHECKER, 0, this);

    bool bSomeNonDefinitive = false, bSomeDefinitive = false;
    bool bValPath = false;
    try
    {
        //This function takes a path and creates a single request containing 
        //info about each cert in the path.
        CPKIFBufferPtr nonce;
        CPKIFBufferPtr ocspReq = _CreateComplexOCSPRequest(path, m_parent, nonce, m_bGenerateNonce, m_cred);

        //declare a pointer to receive the basic response
        CPKIFBasicOCSPResponsePtr basicOCSPResponse;

        //declare a pointer to receive the OCSP signer's certificate
        CPKIFCertificatePtr signersCert;

        int error = 0;
        CPKIFOCSPResponsePtr response;

        CPKIFPathSettingsPtr ps;
        path.GetPathSettings(ps);

        //call a function to post the request, receive the response and process the generic 
        //portion of the response. 
        if(host)
        {
            if(!CheckOCSPStatus(host, port, object, ocspReq, basicOCSPResponse, signersCert, &error, response, ps))
                return false;
        }
        else
        {
            if(!CheckOCSPStatus(NULL, port, object, ocspReq, basicOCSPResponse, signersCert, &error, response, ps, url))
                return false;
        }
        CPKIFResponseDataPtr responseData = basicOCSPResponse->GetResponseData();

        std::vector<CPKIFX509ExtensionPtr> processedExts;

        //compare nonces
        if(nonce != (CPKIFBuffer*)NULL)
        {
            CPKIFX509ExtensionPtr ext;
            responseData->GetExtensionByOID(*g_ocspNonce, ext);
            if(ext == (CPKIFBuffer*)NULL)
            {
                if(m_bRequireNonceMatch)
                {
                    error = OCSP_NONCE_MISSING;
                    return false;
                }
            }
            else
            {
                CPKIFBufferPtr value = ext->value();
                if(value == (CPKIFBuffer*)NULL || !(*nonce == *value))
                {
                    if(m_bRequireNonceMatch)
                    {
                        error = OCSP_NONCE_MISMATCH;
                        return false;
                    }
                }
            }

            processedExts.push_back(ext);
        }

        if(responseData->AreThereAnyUnprocessedCriticalExtensions(processedExts))
        {
            error = OCSP_UNPROCESSED_CRITICAL_EXTENSION;
            return false;
        }

        //get the list of responses
        CPKIFSingleResponseList responses;
        responseData->GetResponses(responses);

        //get the cert path as a list of cert nodes
        CPKIFCertificateNodeList certPath;
        path.GetPath(certPath);

        //harvest the trust root cert so we have the issuer of the first cert in the path
        IPKIFTrustAnchorPtr tr;
        path.GetTrustRoot(tr);
        CPKIFCertificatePtr issuersCert;

        CPKIFTrustRootPtr ta = boost::dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(tr);
        if(ta)
            ta->GetCert(issuersCert);
        else
        {
            throw CPKIFException(TOOLKIT_OCSP_CHECKER, COMMON_INVALID_INPUT, "CPKIFOCSPChecker does not support non-certificate trust anchors.");
        }

        vector<IPKIFRevSourceInfoPtr> rslCollected;
        //iterate over the path.  for each cert in the path determine if the status has been
        //reported in the response
        CPKIFCertificateNodeList::iterator pathPos;
        CPKIFCertificateNodeList::iterator pathEnd = certPath.end();
        for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
        {
            //grab a pointer to the current cert and current cert status objects
            CPKIFCertificatePtr cert = (*pathPos)->GetCert();
            
            CPKIFCertStatusPtr aCertStatus = (*pathPos)->GetStatus();
            CPKIFCertStatusPtr& certStatus = aCertStatus;

            //declare some variables specific to this interation for use in setting up a revocation source
            int error = 0;
            RevocationStatus rs;
            CPKIFOCSPInfoPtr ocspInfo(new CPKIFOCSPInfo);

            ocspInfo->SetOCSPResponse(response); //set the response (single response is set in CheckCertStatus)

            //check response to determine the status of the current cert
            IPKIFNameAndKey* issuersCertNK = dynamic_cast<IPKIFNameAndKey*>(issuersCert.get());
            if(!CheckCertStatus(responses, signersCert, issuersCertNK, *cert, rs, ocspInfo, &error, ps))
                bSomeNonDefinitive = true;
            else
                bSomeDefinitive = true;

            //add a revocation source to the cert status object
            certStatus->AddRevocationSource(REVSOURCE_OCSP, REV_INFO_CAST(ocspInfo), rs, error);
            IPKIFRevSourceInfoPtr tmpRevSource = REV_INFO_CAST(ocspInfo);
            rslCollected.push_back(tmpRevSource);

            //set up the status info (and possibly diagnostic info) for the cert status object
            certStatus->SetRevocationStatus(rs);
            if(REVOKED == rs)
                certStatus->SetDiagnosticCode(PATH_CERT_REVOKED);
            else if (NOT_CHECKED == rs)
                certStatus->SetDiagnosticCode(PATH_CERT_REVOCATION_STATUS_NOT_DETERMINED);
            else
                certStatus->SetDiagnosticCode(0);

            issuersCert = cert;
        }

        //anti-looping measures: walk the path looking for the signersCert.  if it's there and the
        //status is NOT_REVOKED then consider the path validated.
        pathEnd = certPath.end();
        int ii = 0;
        bool bSkipValPath = false;
        for(pathPos = certPath.begin(), ii = 0; pathPos != pathEnd; ++pathPos, ++ii)
        {
            CPKIFCertificatePtr tmpCert = (*pathPos)->GetCert();
            if(*tmpCert == *signersCert)
            {
                CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();
                if(NOT_REVOKED == cs->GetRevocationStatus())
                {
                    bSkipValPath = true;
                    break;
                }
            }
        }

        if(bSomeDefinitive)
        {
            //if there are no definitive responses do we really care if there is a valid path?
            //this may help prevent looping when an OCSP server returns status on itself.
            if(!bSkipValPath)
            {
                bValPath = ValidatePath(signersCert, &error);
                if(!bValPath)
                {       

                    CPKIFCertificateNodeList::iterator pathPos;
                    CPKIFCertificateNodeList::iterator pathEnd = certPath.end();
                    for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
                    {
                        //grab a pointer to the current cert and current cert status objects
                        CPKIFCertificatePtr cert = (*pathPos)->GetCert();
                        
                        CPKIFCertStatusPtr aCertStatus = (*pathPos)->GetStatus();
                        CPKIFCertStatusPtr& certStatus = aCertStatus;

                        CPKIFOCSPInfoPtr ocspInfo(new CPKIFOCSPInfo);
                        RevocationStatus rs = NOT_CHECKED;
                        RevocationSourceList list;
                        certStatus->GetRevocationSources(list);
                        RevocationSourceList::iterator rslPos;
                        RevocationSourceList::iterator rslEnd = list.end();
                        int count = 0;
                        for(rslPos = list.begin(); rslPos != rslEnd; ++rslPos)
                        {
                            vector<IPKIFRevSourceInfoPtr>::iterator rslCollectedPos;
                            vector<IPKIFRevSourceInfoPtr>::iterator rslCollectedEnd = rslCollected.end();
                            for(rslCollectedPos = rslCollected.begin(); rslCollectedPos != rslCollectedEnd; ++rslCollectedPos)
                            {
                                if((*rslPos)->m_sourceInfo == (*rslCollectedPos))
                                {
                                    (*rslPos)->m_status = rs;
                                    (*rslPos)->m_errorCode = OCSP_PATH_BUILDING_FAILED;
                                }
                            }
                        }                                       
                        certStatus->SetRevocationStatus(rs);
                        certStatus->SetDiagnosticCode(PATH_CERT_REVOCATION_STATUS_NOT_DETERMINED);
                    }
                }
            }
            else
                bValPath = true;
            if(bValPath)
            {
                //if path validation was successful - update the cert status of each cert in the path
                pathEnd = certPath.end();
                for(pathPos = certPath.begin(), ii = 0; pathPos != pathEnd; ++pathPos, ++ii)
                {
                    CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();
//                  cs->SetRevocationStatus(rv[ii]);
                }
            }
        }
    }
    catch(CPKIFException&)
    {
    }

    //to return true we must have a definitive answer for each as well as a validated path
    return !bSomeNonDefinitive && bValPath;
}
bool CPKIFOCSPCheckerImpl::CheckOCSPStatus_Local(
    const char* host, 
    int port, 
    const char* object, 
    CPKIFCertificate& cert, 
    const IPKIFNameAndKey* issuersCert,
    CPKIFCertStatusPtr& certStatus, 
    CPKIFPathSettingsPtr& ps, 
    const char* url, 
    const CPKIFCertificatePath* prevPath)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckOCSPStatus_Local", TOOLKIT_OCSP_CHECKER, 0, this);

    int error = 0;

    //revocation source info
    CPKIFOCSPInfoPtr ocspInfo;
    RevocationStatus rs = NOT_CHECKED;

    //added this to avoid proceeding when noCheck is presented
    //if nocheck extension is present then relax requirement to check revocation
    CPKIFX509ExtensionPtr ext;
    cert.GetExtensionByOID(*g_ocspNoCheck, ext);
    if(ext != (CPKIFX509Extension*)NULL)
    {
        certStatus->SetRevocationStatus(NOT_REVOKED);
        return true;
    }

    do
    {
        CPKIFBufferPtr ocspReq;
        try
        {
            CPKIFBufferPtr nonce;

            //create a response
            ocspReq = _CreateSimpleOCSPRequest(cert, issuersCert, m_parent, nonce, m_bGenerateNonce, m_cred);

            CPKIFOCSPResponsePtr response;                  //the entire response (for the OCSP info object)
            CPKIFBasicOCSPResponsePtr basicOCSPResponse;    //the basic response (to process)
            CPKIFCertificatePtr signersCert;                    //signers cert (to which a path should be built and verified)

            //submit the request to the OCSP server and retrieve the response (also verify the 
            //signature on the response and perform other basic checks)
            if(!CheckOCSPStatus(host, port, object, ocspReq, basicOCSPResponse, signersCert, &error, response, ps, url))
                break;

            //get the response bytes out of the response
            CPKIFResponseDataPtr responseData = basicOCSPResponse->GetResponseData();

            std::vector<CPKIFX509ExtensionPtr> processedExts;

            //compare nonces
            if(nonce != (CPKIFBuffer*)NULL)
            {
                CPKIFX509ExtensionPtr ext;
                responseData->GetExtensionByOID(*g_ocspNonce, ext);
                if(ext == (CPKIFBuffer*)NULL)
                {
                    if(m_bRequireNonceMatch)
                    {
                        error = OCSP_NONCE_MISSING;
                        break;
                    }
                }
                else
                {
                    CPKIFBufferPtr value = ext->value();
                    if(value == (CPKIFBuffer*)NULL || !(*nonce == *value))
                    {
                        if(m_bRequireNonceMatch)
                        {
                            error = OCSP_NONCE_MISMATCH;
                            break;
                        }
                    }
                }

                processedExts.push_back(ext);
            }

            if(responseData->AreThereAnyUnprocessedCriticalExtensions(processedExts))
            {
                error = OCSP_UNPROCESSED_CRITICAL_EXTENSION;
                break;
            }

            //get the list of responses
            CPKIFSingleResponseList responses;
            responseData->GetResponses(responses);

            //create an OCSP info object - stuff the response into it (the specific entry in the response
            //will be identified and saved in CheckCertStatus
            CPKIFOCSPInfoPtr tmpOCSPInfo(new CPKIFOCSPInfo);
            ocspInfo = tmpOCSPInfo;
            ocspInfo->SetOCSPResponse(response);
            if(!CheckCertStatus(responses, signersCert, issuersCert, cert, rs, tmpOCSPInfo, &error, ps))
                break;

            //build and validate a path to the signer
            if(!ValidatePath(signersCert, &error, prevPath))
            {
                //if validate path fails then we need to undo the status that we set above
                rs = NOT_CHECKED;
                break;
            }
        }
        catch(CPKIFException& e)
        {
            //if we failed to create a request - save the error code and break out of this block
            error = e.GetErrorCode();
            break;
        }
    }while(0);

    //we get here by success or error - need to set the necessary goo on the status object
    //the diagnostic code on the certStatus object is not related to an error here.  those
    //errors are returned as part of the revocation source info.
    certStatus->SetRevocationStatus(rs);
    certStatus->AddRevocationSource(REVSOURCE_OCSP, REV_INFO_CAST(ocspInfo), rs, error);
    if(REVOKED == rs)
        certStatus->SetDiagnosticCode(PATH_CERT_REVOKED);
    else if (NOT_CHECKED == rs)
        certStatus->SetDiagnosticCode(PATH_CERT_REVOCATION_STATUS_NOT_DETERMINED);
    else
        certStatus->SetDiagnosticCode(0);

    return 0 == error;
}
bool CPKIFOCSPCheckerImpl::CheckOCSPStatus_URL(const char* url, CPKIFCertificate& cert, const IPKIFNameAndKey* issuersCert, CPKIFCertStatusPtr& certStatus, CPKIFPathSettingsPtr& ps, const CPKIFCertificatePath* prevPath)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckOCSPStatus_URL(const char* url, const CPKIFCertificate& cert, const CPKIFCertificate& issuersCert, CPKIFCertStatusPtr& certStatus)", TOOLKIT_OCSP_CHECKER, 0, this);

    //This function takes a url, parses it then invokes CheckOCSPStatus_Local.
    return CheckOCSPStatus_Local(NULL, 0, NULL, cert, issuersCert, certStatus, ps, url, prevPath);
}

//----------------------------------------------------------------------------------------------------
//
//  Public Member functions
//
//----------------------------------------------------------------------------------------------------
CPKIFOCSPChecker::CPKIFOCSPChecker(void)
    :m_impl (new CPKIFOCSPCheckerImpl)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CPKIFOCSPChecker(void)", TOOLKIT_OCSP_CHECKER, 0, this);

    m_impl->m_parent = this;
    m_impl->m_bLocalConfig = false;
    //m_bRequireSufficientlyRecent = true;

    //CPKIFDurationPtr d(new CPKIFDuration);
    //m_duration = d;
    //m_duration->setSeconds(2592000); //30 days

    m_impl->m_port = 80; //added 3/12/2004

    m_impl->m_bGenerateNonce = false;   //added 6/9/2004; changed 10/13/2006
    m_impl->m_bRequireNonceMatch = true;//added 6/9/2004
    m_impl->m_bMultiCertRequest = true;
    m_impl->m_bCacheResponders = false;

    //added 7/18/2004
    CPKIFPathSettingsPtr settings(new CPKIFPathSettings);
    m_impl->m_settings = settings;
}
CPKIFOCSPChecker::CPKIFOCSPChecker(
    const CPKIFOCSPChecker& copy):m_impl (new CPKIFOCSPCheckerImpl)
{
    m_impl->m_parent = this;
    m_impl->m_bLocalConfig = copy.m_impl->m_bLocalConfig;
    m_impl->m_bMultiCertRequest = copy.m_impl->m_bMultiCertRequest;
    //m_bRequireSufficientlyRecent = true;

    //CPKIFDurationPtr d(new CPKIFDuration);
    //m_duration = d;
    //m_duration->setSeconds(2592000); //30 days

    m_impl->m_port = copy.m_impl->m_port; //added 3/12/2004

    m_impl->m_bGenerateNonce = copy.m_impl->m_bGenerateNonce;   //added 6/9/2004
    m_impl->m_bRequireNonceMatch = copy.m_impl->m_bRequireNonceMatch;//added 6/9/2004

    //added 7/18/2004
    CPKIFPathSettingsPtr settings(new CPKIFPathSettings(*copy.m_impl->m_settings));
    m_impl->m_settings = settings;

    if(copy.m_impl->m_url != (std::string*)NULL)
    {
        std::string* urlCopy = new std::string(*copy.m_impl->m_url);
        CPKIFStringPtr newUrlCopy(urlCopy);
        m_impl->m_url = newUrlCopy;
    }

    if(copy.m_impl->m_host != (std::string*)NULL)
    {
        std::string* hostCopy = new std::string(*copy.m_impl->m_host);
        CPKIFStringPtr newHostCopy(hostCopy);
        m_impl->m_host = newHostCopy;
    }

    m_impl->m_port = copy.m_impl->m_port;
    m_impl->m_bLocalConfig = copy.m_impl->m_bLocalConfig;
    m_impl->m_bRequireThisCert = copy.m_impl->m_bRequireThisCert;

    m_impl->m_responderCert = copy.m_impl->m_responderCert;
    m_impl->m_cred = copy.m_impl->m_cred;

    m_impl->m_namespaces = copy.m_impl->m_namespaces;
    m_impl->m_issuerNamespaces = copy.m_impl->m_issuerNamespaces;

    m_impl->m_bMultiCertRequest = copy.m_impl->m_bMultiCertRequest;
    m_impl->m_bCacheResponders = copy.m_impl->m_bCacheResponders;
}

CPKIFOCSPChecker::~CPKIFOCSPChecker(void)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::~CPKIFOCSPChecker()", TOOLKIT_OCSP_CHECKER, 0, this);

    delete m_impl;
    m_impl = NULL;
}
void CPKIFOCSPChecker::Initialize() 
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::Initialize()", TOOLKIT_OCSP_CHECKER, 0, this);
}
void CPKIFOCSPChecker::SetHost(
    const char* host)
{
    //added check for NULL  2/23/2005
    if(NULL == host)
    {
        throw CPKIFException(thisComponent,COMMON_INVALID_INPUT, "NULL host passed to CPKIFLDAPRepository::SetHost.");
    }

    CPKIFStringPtr tmpSP(new std::string(host));
    m_impl->m_host = tmpSP;
    // can only have a host or a URL, not both
    CPKIFStringPtr nullSP((std::string *)NULL);
    m_impl->m_url = nullSP;
    m_impl->m_bLocalConfig = true;
}

void CPKIFOCSPChecker::SetURL(
    const char* url)
{
    //added check for NULL  2/23/2005
    if(NULL == url)
    {
        throw CPKIFException(thisComponent,COMMON_INVALID_INPUT, "NULL URL passed to CPKIFOCSPChecker::SetHost.");
    }

    CPKIFStringPtr tmpSP(new std::string(url));
    m_impl->m_url = tmpSP;
    // can only have a host or a URL, not both
    CPKIFStringPtr nullSP((std::string *)NULL);
    m_impl->m_host = nullSP;
    m_impl->m_bLocalConfig = true;
}

void CPKIFOCSPChecker::Set_Port(
    int port)
{
    //added port check 2/23/2005
    if(65535 < port)
    {
        throw CPKIFException(thisComponent,COMMON_INVALID_INPUT, "Port greater than 65535 passed to CPKIFLDAPRepository::Set_Port.");
    }
    m_impl->m_port = port;
    m_impl->m_bLocalConfig = true;
}

//check the status of a single cert given the certificate and the issuer's certificate
bool CPKIFOCSPChecker::CheckStatus(
    const CPKIFCertificatePtr& targetCert, 
    const CPKIFCertificatePtr& issuersCert,
    RevocationStatus& status, 
    CPKIFCertStatusPtr& certStatus)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckStatus", TOOLKIT_OCSP_CHECKER, 0, this);

    status = NOT_CHECKED;//added 2/26 CRW

    if(targetCert == (CPKIFCertificate*)NULL || issuersCert == (CPKIFCertificate*)NULL)
        throw CPKIFException(thisComponent,COMMON_INVALID_INPUT,"Invalid input passed to OCSP status verification function");

    //get pointers to the necessary interfaces here
    IPKIFCryptoMisc* cMisc = GetMediatorFromParent<IPKIFCryptoMisc>();
    IPKIFCryptoRawOperations* crypto = GetMediatorFromParent<IPKIFCryptoRawOperations>();
    if(NULL == cMisc || NULL == crypto)
        throw CPKIFException(thisComponent,COMMON_MEDIATOR_MISSING,"One or both of the IPKIFCryptoRawOperations or IPKIFCryptoMisc interfaces was not available.");

    if(certStatus == (CPKIFCertStatus*)NULL)
    {
        //if no cert status was provide then create one for the caller
        CPKIFCertStatusPtr tmpCS(new CPKIFCertStatus);
        certStatus = tmpCS;
    }

    //added this to avoid proceeding when noCheck is presented
    //if nocheck extension is present then relax requirement to check revocation
    CPKIFX509ExtensionPtr ext;
    targetCert->GetExtensionByOID(*g_ocspNoCheck, ext);
    if(ext != (CPKIFX509Extension*)NULL)
    {
        certStatus->SetRevocationStatus(NOT_REVOKED);
        return true;
    }

    if(!m_impl->CheckNamespaces(targetCert))
        return false;

    if(!m_impl->CheckIssuerNamespaces(targetCert))
        return false;


    IPKIFNameAndKey* issuersCertNK = dynamic_cast<IPKIFNameAndKey*>(issuersCert.get());
    if(!issuersCertNK)
        return false;

    bool bDefinitiveAnswer = false;
    if(m_impl->m_bLocalConfig)
    {
        //this instance is associated with an OCSP server - try it first
        // add support for a local URL
        if(m_impl->m_host)
        {
            bDefinitiveAnswer = m_impl->CheckOCSPStatus_Local(m_impl->m_host->c_str(),
                m_impl->m_port, "/", *targetCert, issuersCertNK, certStatus, m_impl->m_settings);
        } 
        else
        {
            bDefinitiveAnswer = m_impl->CheckOCSPStatus_Local(NULL,
                m_impl->m_port, "/", *targetCert, issuersCertNK, certStatus, m_impl->m_settings, m_impl->m_url->c_str());
        }

    }

    if(!bDefinitiveAnswer)
    {
        //if no definitive answer is known so far then we need to consult any OCSP server identified by AIA extension
        CPKIFAuthorityInfoAccessPtr aia = targetCert->GetExtension<CPKIFAuthorityInfoAccess>();
        if(aia != (CPKIFAuthorityInfoAccess*)NULL)
        {
            CPKIFAccessDescriptionListPtr ads = aia->GetAccessDescriptions();

            CPKIFAccessDescriptionList::iterator pos;
            CPKIFAccessDescriptionList::iterator end = ads->end();
            for(pos = ads->begin(); pos != end; ++pos)
            {
                CPKIFOIDPtr aOID = (*pos)->AccessMethod();
                if(aOID != (CPKIFOID*)NULL && *aOID == *g_adOCSP)
                {
                    const char* url = (*pos)->AccessLocation()->uri();
                    bDefinitiveAnswer = m_impl->CheckOCSPStatus_URL(url, *targetCert, issuersCertNK, certStatus, m_impl->m_settings);
                    if(bDefinitiveAnswer) 
                        break;//if we found a definitive answer we need not continue searching
                }
            }
        }
    }

    if(bDefinitiveAnswer)
        status = certStatus->GetRevocationStatus();//added 2/26 CRW

    return bDefinitiveAnswer; 
}
bool CPKIFOCSPChecker::CheckStatusPath(
    //@sought; status information is directly associated with each entry in the path
    CPKIFCertificatePath& path, 
    RevocationStatus& status)
{
    LOG_STRING_DEBUG("CPKIFOCSPChecker::CheckStatusPath(CPKIFCertificatePath& path, RevocationStatus& status)", TOOLKIT_OCSP_CHECKER, 0, this);

    status = NOT_CHECKED;//added 2/26 CRW
    bool statusSet = false;

    RevocationStatus pathStatus = NOT_CHECKED;

    //get pointers to the necessary interfaces here
    IPKIFCryptoMisc* cMisc = GetMediatorFromParent<IPKIFCryptoMisc>();
    IPKIFCryptoRawOperations* crypto = GetMediatorFromParent<IPKIFCryptoRawOperations>();
    if(NULL == cMisc || NULL == crypto)
        throw CPKIFException(thisComponent,COMMON_MEDIATOR_MISSING,"One or both of the IPKIFCryptoRawOperations or IPKIFCryptoMisc interfaces was not available.");

    CPKIFCertificateNodeList certPath;
    path.GetPath(certPath);

    CPKIFPathSettingsPtr ps;
    path.GetPathSettings(ps);

    CPKIFCertificatePtr targetCert;
    path.GetTarget(targetCert);
    if(targetCert == (CPKIFCertificate*)NULL || (!m_impl->CheckNamespaces(targetCert) && !m_impl->CheckIssuerNamespaces(targetCert)))
        return false;

    if(m_impl->m_bLocalConfig && m_impl->m_bMultiCertRequest)
    {
        //we can prepare a single request and try to determine status for all in one shot
        if(m_impl->m_host)
        {
            m_impl->CheckOCSPStatus_Combo(m_impl->m_host->c_str(), m_impl->m_port, "/", path);
        }
        
        else
        {
            m_impl->CheckOCSPStatus_Combo(NULL, m_impl->m_port, "/", path, m_impl->m_url->c_str());
        }
    }

    //determine if we found a definitive answer for all certs in the path
    bool allGood = true;
    CPKIFCertificateNodeList::iterator pathPos;
    CPKIFCertificateNodeList::iterator pathEnd = certPath.end();
    for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
    {
        CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();
        if(!statusSet)//modified status setting 3/29 CRW
        {
            pathStatus = cs->GetRevocationStatus();
            if(!statusSet && NOT_CHECKED != pathStatus) //added 3/25/2005 CRW
                statusSet = true;
        }
        else
            pathStatus = min(pathStatus, cs->GetRevocationStatus()); //added 3/29 CRW
        if(NOT_CHECKED == cs->GetRevocationStatus())
        {
            allGood = false;
            break;
        }
    }

    //if we did - return true
    if(allGood)
    {
        status = pathStatus;
        return true;
    }

    IPKIFTrustAnchorPtr root;
    path.GetTrustRoot(root);

    IPKIFNameAndKey* prevCert = dynamic_cast<IPKIFNameAndKey*>(root.get());
    if(!prevCert)
    {
        throw CPKIFException(TOOLKIT_OCSP_CHECKER, COMMON_INVALID_INPUT, "CPKIFOCSPChecker does not support non-certificate trust anchors.");
    }

    if(m_impl->m_bLocalConfig)
    {
        //otherwise walk the path and query individual certs
        pathEnd = certPath.end();
        for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
        {
            CPKIFCertificatePtr cert = (*pathPos)->GetCert();

            if(m_impl->CheckNamespaces(cert) && m_impl->CheckIssuerNamespaces(cert))
            {
                CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();

                if(NOT_CHECKED == cs->GetRevocationStatus())
                {
                    if(m_impl->m_host)
                    {
                        m_impl->CheckOCSPStatus_Local(m_impl->m_host->c_str(), m_impl->m_port, "/", *cert, prevCert, cs, ps, NULL, &path);
                    }
                    else
                    {
                        m_impl->CheckOCSPStatus_Local(NULL, m_impl->m_port, "/", *cert, prevCert, cs, ps, m_impl->m_url->c_str(), &path);
                    }
                }
            }
            prevCert = dynamic_cast<IPKIFNameAndKey*>(cert.get());
        }
    }
    if(allGood)
    {
        status = pathStatus;
        return true;
    }

    //otherwise walk the path in search of AIA extensions with additional servers to query
    prevCert = dynamic_cast<IPKIFNameAndKey*>(root.get());
    if(!prevCert)
    {
        throw CPKIFException(TOOLKIT_OCSP_CHECKER, COMMON_INVALID_INPUT, "CPKIFOCSPChecker does not support non-certificate trust anchors.");
    }

    //if we are locally configured, then we should not chase AIAs
    if(!m_impl->m_bLocalConfig)
    {
        pathEnd = certPath.end();
        for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
        {
            CPKIFCertificatePtr cert = (*pathPos)->GetCert();
            CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();

            //added 8/24/2004
            //added this to avoid proceeding when noCheck is presented
            //if nocheck extension is present then relax requirement to check revocation
            CPKIFX509ExtensionPtr ext;
            cert->GetExtensionByOID(*g_ocspNoCheck, ext);
            if(ext != (CPKIFX509Extension*)NULL)
            {
                cs->SetRevocationStatus(NOT_REVOKED);
                continue;
            }

            if(NOT_CHECKED == cs->GetRevocationStatus())
            {
                CPKIFAuthorityInfoAccessPtr aia = cert->GetExtension<CPKIFAuthorityInfoAccess>();
                if(aia != (CPKIFAuthorityInfoAccess*)NULL)
                {
                    CPKIFAccessDescriptionListPtr ads = aia->GetAccessDescriptions();

                    CPKIFAccessDescriptionList::iterator pos;
                    CPKIFAccessDescriptionList::iterator end = ads->end();
                    for(pos = ads->begin(); pos != end; ++pos)
                    {
                        //added access method check 10/13/2003 - should've been
                        //here all along!
                        CPKIFOIDPtr accessMethod = (*pos)->AccessMethod();
                        if(accessMethod != (CPKIFOID*)NULL && *g_adOCSP == *accessMethod)
                        {
                            const char* url = (*pos)->AccessLocation()->uri();
                            if(m_impl->CheckOCSPStatus_URL(url, *cert, prevCert, cs, ps, &path))
                                break; //if we found a definitive answer we need not continue searching
                        }
                    }
                }
            }

            prevCert = dynamic_cast<IPKIFNameAndKey*>(cert.get());
        }
    }

    statusSet = false;
    allGood = true;
    pathEnd = certPath.end();
    for(pathPos = certPath.begin(); pathPos != pathEnd; ++pathPos)
    {
        CPKIFCertStatusPtr cs = (*pathPos)->GetStatus();
        if(!statusSet)//modified status setting 3/29 CRW
        {
            pathStatus = cs->GetRevocationStatus();
            statusSet = true;
        }
        else
            pathStatus = min(pathStatus, cs->GetRevocationStatus()); 
        if(NOT_CHECKED == cs->GetRevocationStatus())
        {
            allGood = false;
            break;
        }
    }

    status = pathStatus;
    return allGood;
}
void CPKIFOCSPChecker::SetSigningCredential(
    CPKIFCredentialPtr& cred)
{
    m_impl->m_cred = cred;
}

void CPKIFOCSPChecker::SetResponderPublicKey(
    CPKIFCertificatePtr& cert, 
    bool bRequireThisCert)
{
    m_impl->m_responderCert = cert;
    m_impl->m_bRequireThisCert = bRequireThisCert;
}

CPKIFStringPtr CPKIFOCSPChecker::GetHost() const
{
    return m_impl->m_host;
}
CPKIFStringPtr CPKIFOCSPChecker::GetURL() const
{
    return m_impl->m_url;
}
int CPKIFOCSPChecker::GetPort() const
{
    return m_impl->m_port;
}
CPKIFCredentialPtr CPKIFOCSPChecker::GetSigningCredential() const
{
    return m_impl->m_cred;
}
CPKIFCertificatePtr CPKIFOCSPChecker::GetResponderPublicKey() const
{
    return m_impl->m_responderCert;
}
bool CPKIFOCSPChecker::GetRequireSpecificCert() const
{
    return m_impl->m_bRequireThisCert;
}

void CPKIFOCSPChecker::AddNamespace(
    CPKIFGeneralSubtreePtr& name)
{
    if(name == (CPKIFGeneralSubtree*)NULL)
        return;

    m_impl->m_namespaces.push_back(name);
}
CPKIFGeneralSubtreeList CPKIFOCSPChecker::GetNamespaces()
{
    return m_impl->m_namespaces;
}

void CPKIFOCSPChecker::AddIssuerNamespace(
    CPKIFGeneralSubtreePtr& name)
{
    if(name == (CPKIFGeneralSubtree*)NULL)
        return;

    m_impl->m_issuerNamespaces.push_back(name);
}
CPKIFGeneralSubtreeList CPKIFOCSPChecker::GetIssuerNamespaces()
{
    return m_impl->m_issuerNamespaces;
}

void CPKIFOCSPChecker::SetMultiCertRequest(
    bool bDoMultiCertRequests)
{
    m_impl->m_bMultiCertRequest = bDoMultiCertRequests;
}

bool CPKIFOCSPChecker::GetMultiCertRequest()
{
    return m_impl->m_bMultiCertRequest;
}