CACPathBasicChecks2.cpp

Go to the documentation of this file.

#include "PKIFPathBasicChecks2.h"

#include "ToolkitUtils.h"
#include "BasicChecksUtils.h"
#include "PKIFErrors.h"

#include "PKIFCertificatePath.h"
#include "PKIFTrustRoot.h"
#include "PKIFCertStatus.h"
#include "PKIFCertificateNodeEntry.h"
#include "PKIFTime.h"
#include "PolicyInformation.h"
#include "OID.h"
#include "PKIFPathSettings.h"
#include "PathResults.h"
#include "GeneralSubtree.h"
#include "Certificate.h"
#include "SubjectPublicKeyInfo.h"
#include "Validity.h"
#include "PolicyInformationSet.h"
#include "Name.h"
#include "PolicyConstraints.h"
#include "BasicConstraints.h"
#include "KeyUsage.h"
#include "NameConstraints.h"
#include "InhibitAnyPolicy.h"
#include "PKIFFuncStorage.h"
#include "SubjectAltName.h"
#include "X509Extension.h"
#include "PolicyMappings.h"

#ifdef _DEBUG_PATH
#include <iostream>
#endif
using namespace std;
#include <cstring>

CPKIFPathBasicChecks2::CPKIFPathBasicChecks2(void)
{
    LOG_STRING_DEBUG("CPKIFPathBasicChecks2::CPKIFPathBasicChecks2(void)", TOOLKIT_PATH_BASIC_CHECKS, 0, this);
}
CPKIFPathBasicChecks2::~CPKIFPathBasicChecks2(void)
{
    LOG_STRING_DEBUG("CPKIFPathBasicChecks2::~CPKIFPathBasicChecks2(void)", TOOLKIT_PATH_BASIC_CHECKS, 0, this);
}
bool CPKIFPathBasicChecks2::DoChecks(
    const CPKIFCertificatePath& path, 
    CPKIFPathValidationResults& results, 
    CPKIFFuncStoragePtr& funcs)
{
#undef ERROR_OVERRIDE
#define ERROR_OVERRIDE(errCode) \
{ \
    bool override = false;\
    bool (*fp) (int, CPKIFCertificatePtr&,const CPKIFCertificatePath&) = settings->GetOverrideCallback(); \
    if(NULL != fp) \
    { \
        if(fp(errCode, curCert, path))\
            override = true; \
    } \
    if(!override) \
    {\
        CPKIFCertStatusPtr status(new CPKIFCertStatus); \
        status->SetDiagnosticCode(errCode); \
        (*pos)->SetStatus(status);  \
        results.SetCertificate(*pos); \
        isPathGood = false; \
        break;\
    }\
}\


    LOG_STRING_DEBUG("CPKIFPathBasicChecks2::DoChecks", TOOLKIT_PATH_BASIC_CHECKS, 0, NULL);

    //X.509 path processing inputs
    //  a) set of certs comprising a path
    //  b) trusted public key
    //  c) initial policy set
    //  d) initial explcit policy indicator
    //  e) initial policy mapping inhibit indicator
    //  f) initial inhibit any policy indicator
    //  g) current date/time

    //  a) set of certs comprising a path
    //  b) trusted public key
    CPKIFCertificateNodeList certNodeList;
    path.GetPath(certNodeList);

    //make sure the list is not NULL and is not empty
    if(0 == certNodeList.size())
    {
        RAISE_PATH_EXCEPTION("Empty certificate path parameter.", thisComponent, COMMON_INVALID_INPUT, NULL)
    }

    IPKIFTrustAnchorPtr trustRoot;
    path.GetTrustRoot(trustRoot);
    if(trustRoot == (IPKIFTrustAnchor*)NULL)
    {
        RAISE_PATH_EXCEPTION("Path does not specify a trust root.", thisComponent, PATH_TRUST_ROOT_NOT_SET, NULL)
    }
    else
        results.SetTrustAnchor(trustRoot);

    IPKIFNameAndKey* prevCert = dynamic_cast<IPKIFNameAndKey*>(&(*(trustRoot)));

    //get the name of the trust root so we can perform name chaining against the first cert in the path
    CPKIFNamePtr lastCertName;
    lastCertName = trustRoot->GetSubjectName();
    if(lastCertName == (CPKIFName*)NULL)
    {
        RAISE_PATH_EXCEPTION("Trust root is not a certificate.", thisComponent, PATH_TRUST_ROOT_NO_CERT, NULL)
    }

    //walk the path and unset all of the cert status values by assigning a new, empty status
    {
        CPKIFCertificateNodeList::iterator pos;
        CPKIFCertificateNodeList::iterator end = certNodeList.end();
        for(pos = certNodeList.begin(); pos != end; ++pos)
        {
            CPKIFCertStatusPtr newStatus(new CPKIFCertStatus);
            (*pos)->SetStatus(newStatus);
        }
    }

    //  c) initial policy set
    //  d) initial explcit policy indicator
    //  e) initial policy mapping inhibit indicator
    //  f) initial inhibit any policy indicator
    CPKIFPathSettingsPtr settings;
    path.GetPathSettings(settings);

    //  g) current date/time

    //first check to see if a time was specified in the settings
    CPKIFTimePtr curTime = settings->GetValidationTime();
    if(curTime == (CPKIFTime*)NULL)
        curTime = CPKIFTime::CurrentTime();

    //prepare state variables...
    //  a) authority constrained policy set
    //  b) permitted subtrees
    //  c) excluded subtrees
    //  d) explicit policy indicator
    //  e) path depth
    //  f) policy mapping inhibit indicator
    //  g) inhibit any policy indicator
    //  h) pending constraints

    //  a) authority constrained policy set
    vector<CPKIFPolicyInformationListPtr>* authSet = new vector<CPKIFPolicyInformationListPtr>;

    //set up the results of this validation effort (moved here 12/5/2003 to avoid leaks when name constraints throws)
    results.SetAuthorityConstrainedSet(authSet);

    CPKIFPolicyInformationListPtr zeroRow(new CPKIFPolicyInformationList);
    CPKIFOIDPtr anyPolicy(new CPKIFOID(CPKIFStringPtr(new std::string("2.5.29.32.0"))));
    zeroRow->push_back(CPKIFPolicyInformationPtr(new CPKIFPolicyInformation(anyPolicy)));
    zeroRow->push_back(CPKIFPolicyInformationPtr(new CPKIFPolicyInformation(anyPolicy)));
    authSet->push_back(zeroRow);

    //  b) permitted subtrees
    //  c) excluded subtrees
    //CPKIFGeneralSubtreeListPtr permSubtrees(new CPKIFGeneralSubtreeList); //initialize to unbounded
    //CPKIFGeneralSubtreeListPtr exclSubtrees(new CPKIFGeneralSubtreeList); //initialize to empty
    //                                                            //note how empty looks just like unbounded
    //                                                            //make wisecrack and continue


    CPKIFGeneralSubtreeListPtr permSubtrees;
    CPKIFGeneralSubtreeListPtr exclSubtrees;
    settings->GetInitialPermSubtrees(permSubtrees);
    settings->GetInitialExclSubtrees(exclSubtrees);

    if(permSubtrees == (CPKIFGeneralSubtreeList*)NULL)
    {
        CPKIFGeneralSubtreeListPtr tmp(new CPKIFGeneralSubtreeList);
        permSubtrees = tmp;
    }
    if(exclSubtrees == (CPKIFGeneralSubtreeList*)NULL)
    {
        CPKIFGeneralSubtreeListPtr tmp(new CPKIFGeneralSubtreeList);
        exclSubtrees = tmp;
    }

    //  d) explicit policy indicator
    //  f) policy mapping inhibit indicator
    //  g) inhibit any policy indicator
    std::bitset<3> indicators;
    indicators.reset();
    if(settings != (CPKIFPathSettings*)NULL)
    {
        indicators.set(CPKIFPathSettings::EXPLICIT_POLICY, settings->GetInitialExplicitPolicyIndicator());
        indicators.set(CPKIFPathSettings::POLICY_MAPPING, settings->GetInitialPolicyMappingInhibitIndicator());
        indicators.set(CPKIFPathSettings::ANY_POLICY, settings->GetInitialInhibitAnyPolicyIndicator());
    }

    //  e) path depth
    int pathDepth = 1;

    //  h) pending constraints
    bool bPendingExplicitPolicy = false;
    int nPendingExplicitPolicy = -1;
    bool bPendingPolicyMapping = false;
    int nPendingPolicyMapping = -1;
    bool bPendingAnyPolicy = false;
    int nPendingAnyPolicy = -1;
    bool bPathLength = false;
    int nPathLength = -1;

    bool permSubtreesSet = false; //added 12/03/2003

#ifdef _DEBUG_PATH
    {
        cout << "Dumping path..." << endl;
        cout << "Trust root: " << lastCertName->ToString() << endl;

        CPKIFCertificateNodeList::iterator pos;
        CPKIFCertificateNodeList::iterator end = certNodeList.end();
        for(pos = certNodeList.begin(); pos != end; ++pos)
            cout << "Cert: " << (*pos)->GetCert()->Subject()->ToString() << endl;
    }
#endif

    //iterate over all certs in the path
    bool isPathGood = true; //be optimistic
    CPKIFCertificatePtr curCert;
    CPKIFCertificateNodeList::iterator pos;
    CPKIFCertificateNodeList::iterator end = certNodeList.end();
    for(pos = certNodeList.begin(); pos != end; ++pos)
    {
        //get the cert to process this iteration
        curCert = (*pos)->GetCert();
        (*pos)->ClearProcessedExtensions();

        //bool isSelfIssued = CertIsSelfIssued(curCert);
        bool isSelfIssued = curCert->IsSelfIssued();

        //mod to support Technical Corrigendum 2 - 02/13/03 CRW
        //Technical Corrigendum 2 Item 2) Self-signed certs, if encountered in the path, are ignored
        if(isSelfIssued)
        {
            //CPKIFCertificatePtr curCert2 = curCert;
            //CPKIFCAPIRaw raw;

            //if(raw.VerifyCertificate(*curCert, *curCert2))
            //  continue;
            if(curCert->IsSelfSigned())
                continue;
        }
        else 
        {
            //prepare for next cert
            //if cert is not self-issued decrement the path length
            if(bPathLength)
                --nPathLength;
        }

        //10.5.1 a) Check that the signature verifies, that dates are valid, that the certificate 
        //          subject and certificate issuer names chain correctly, and that the certificate 
        //          has not been revoked.
        //alg check is precursor to signature check, which occurs outside of this function
        CPKIFAlgorithmIdentifierPtr prevCertSigAlg = prevCert->GetSubjectPublicKeyInfo()->alg();
        CPKIFAlgorithmIdentifierPtr curCertSigAlg = curCert->SignatureAlgorithm();
        AlgClass prevAC = GetAlgClass(prevCertSigAlg);
        AlgClass curAC = GetAlgClass(curCertSigAlg);
        if(prevAC != curAC)
        {
            ERROR_OVERRIDE(PATH_SIGNATURE_VERIFICATION_FAILED);
        }

#ifdef _DEBUG_PATH
        const char* curCertString = curCert->Subject()->ToString();
        cout << "Processing certificate with subject: " << curCertString << endl;
#endif

        //perform name chaining check
        if(!(*lastCertName == *curCert->Issuer()))
        {
#ifdef _DEBUG_PATH
            cout << lastCertName->ToString() << " != " <<  curCert->Issuer()->ToString() << endl;
#endif
            
            ERROR_OVERRIDE(PATH_NAME_CHAINING_VIOLATION);
        }

        lastCertName = curCert->Subject();
        prevCert = dynamic_cast<IPKIFNameAndKey*>(&(*(curCert)));

        //perform validity period check
        CPKIFValidityPtr val = curCert->Validity();
        CPKIFTimePtr startTime = val->notBefore();
        CPKIFTimePtr endTime = val->notAfter();
        if(*curTime < *startTime)
        {
            ERROR_OVERRIDE(PATH_VALIDITY_PERIOD_VIOLATION_NOT_YET_VALID);
        }

        if(*curTime > *endTime)
        {
            ERROR_OVERRIDE(PATH_VALIDITY_PERIOD_VIOLATION_EXPIRED);
        }

        //check policy stuff
        CPKIFPolicyInformationSetPtr certPols = curCert->GetExtension<CPKIFPolicyInformationSet>();
        if(certPols != (CPKIFPolicyInformationSet*)NULL)
        {
            //10.5.1 d), e) and f) inside AddPoliciesToAuthSet
            AddPoliciesToAuthSet(certPols, indicators, *authSet, isSelfIssued, pos+1 != end);
            CPKIFX509ExtensionPtr cp2 = certPols;
            (*pos)->MarkExtensionAsProcessed(cp2);
        }
        else
        {
            //certificate policies extension was not present
            //remove all rows from the authority constrained set
            //10.5.1 c) If the certificate policies extension is not present, then set 
            //          the authorities-constrained-policy-set to null by deleting all 
            //          rows from the authorities-constrained-policy-set table.
            authSet->clear();
        }

        //10.5.1 g) If the certificate is not an intermediate self-issued certificate, 
        //          check that the subject name is within the name-space given by the 
        //          value of permitted-subtrees and is not within the name-space given 
        //          by the value of excluded-subtrees.
        if(!(pos+1 != end && isSelfIssued))
        {
            try
            {
                //inspect name constraints
                if(!CheckNameConstraints(curCert, permSubtrees, exclSubtrees, permSubtreesSet))
                {
                    ERROR_OVERRIDE(PATH_NAME_CONSTRAINTS_VIOLATION);
                }
            }
            catch(CPKIFException&e)
            {
                if(e.GetErrorCode() == ASN1_DECODE_ERROR && strcmp(e.GetDescription(), "encountered malformed uriName") ==  0)
                {
                    ERROR_OVERRIDE(PATH_NAME_CONSTRAINTS_VIOLATION);
                }
                else
                {
                    throw e;
                }
            }
        }

        //we'll need policy constraints both in the intermediate cert check block and below out of the block
        CPKIFPolicyConstraintsPtr policyConstraints = curCert->GetExtension<CPKIFPolicyConstraints>();

        if(pos+1 != end)//perform intermediate only processing
        {
            if(bPathLength && nPathLength < 0)
            {
                ERROR_OVERRIDE(PATH_LENGTH_VIOLATION);
            }

            //basicConstraints (incl. path length)
            CPKIFBasicConstraintsPtr basicConstraints = curCert->GetExtension<CPKIFBasicConstraints>();
            bool isCA = false;
            if(basicConstraints != (CPKIFBasicConstraints*)NULL)
            {
                CPKIFX509ExtensionPtr basicConstraints2 = basicConstraints;
                (*pos)->MarkExtensionAsProcessed(basicConstraints2);

                if(basicConstraints->isCA())
                    isCA = true;

                if(basicConstraints->pathLengthPresent())
                {
                    if(bPathLength)
                        nPathLength = min(nPathLength, basicConstraints->pathLength());
                    else
                    {
                        bPathLength = true;
                        nPathLength = basicConstraints->pathLength();
                    }
                }
            }

            if(!isCA)
            {
                //either there's no basicConstraints or there is one and CA is not set to true
                ERROR_OVERRIDE(PATH_BASIC_CONSTRAINTS_VIOLATION);
            }

            CPKIFKeyUsagePtr keyUsage = curCert->GetExtension<CPKIFKeyUsage>();
            if(keyUsage != (CPKIFKeyUsage*)NULL)
            {
                CPKIFX509ExtensionPtr keyUsage2 = keyUsage;
                (*pos)->MarkExtensionAsProcessed(keyUsage2);

                //if there's a key usage present (critical or otherwise) we process it
                if(!keyUsage->KeyCertSign())
                {
                    ERROR_OVERRIDE(PATH_KEY_USAGE_VIOLATION);
                }
            }

            //10.5.2 a) If the nameConstraints extension with a permittedSubtrees component is present 
            //          in the certificate, set the permitted-subtrees state variable to the intersection 
            //          of its previous value and the value indicated in the certificate extension.
            //10.5.2 b) If the nameConstraints extension with an excludedSubtrees component is present 
            //          in the certificate, set the excluded-subtrees state variable to the union of its 
            //          previous value and the value indicated in the certificate extension.
            //check name constraints
            CPKIFNameConstraintsPtr nameConstraints = curCert->GetExtension<CPKIFNameConstraints>();
            if(nameConstraints != (CPKIFNameConstraints*)NULL)
            {
                try
                {
                    //get the permitted subtrees and calculate the intersection
                    CPKIFGeneralSubtreeListPtr perm = nameConstraints->GetPermitted();
                    if(perm != (CPKIFGeneralSubtreeList*)NULL)
                    {
                        CPKIFGeneralSubtreeListPtr tmpSubtrees(new CPKIFGeneralSubtreeList);
                        IntersectSubtrees(perm, permSubtrees, tmpSubtrees);
                        permSubtrees = tmpSubtrees;
                        if(!permSubtreesSet)
                            permSubtreesSet = permSubtrees->empty();
                    }

                    CPKIFGeneralSubtreeListPtr excl = nameConstraints->GetExcluded();
                    if(excl != (CPKIFGeneralSubtreeList*)NULL)
                    {
                        CPKIFGeneralSubtreeList::iterator exclPos;
                        CPKIFGeneralSubtreeList::iterator exclEnd = excl->end();
                        for(exclPos = excl->begin(); exclEnd != exclPos; ++exclPos)
                            exclSubtrees->push_back(*exclPos);
                    }

                    CPKIFX509ExtensionPtr nameConstraints2 = nameConstraints;
                    (*pos)->MarkExtensionAsProcessed(nameConstraints2);
                }
                catch(CPKIFException& e)
                {
                    //if name constraints is critical and we don't understand a name form - fail
                    //otherwise continue processing
                    if(nameConstraints->isCritical())
                        throw e;
                    //else
                    //  delete e;
                }
            }

            //process policy mapping
            CPKIFPolicyMappingsPtr policyMappings = curCert->GetExtension<CPKIFPolicyMappings>();
            if(policyMappings != (CPKIFPolicyMappings*)NULL)
            {
                ProcessPolicyMapping(policyMappings, indicators, *authSet);
                CPKIFX509ExtensionPtr policyMappings2 = policyMappings;
                (*pos)->MarkExtensionAsProcessed(policyMappings2);
            }

            //10.5.2 d) if the policy-mapping-inhibit-pending indicator is set and the certificate 
            //is not self-issued, decrement the corresponding skip-certificates value 
            //and, if this value becomes zero, set the policy-mapping-inhibit-indicator.
            if(bPendingPolicyMapping && !isSelfIssued && !indicators[CPKIFPathSettings::POLICY_MAPPING])
            {
                --nPendingPolicyMapping;
                if(0 == nPendingPolicyMapping)
                {
                    indicators.set(CPKIFPathSettings::POLICY_MAPPING);
                }
            }

            if(policyConstraints != (CPKIFPolicyConstraints*)NULL)
            {
                if(policyConstraints->InhibitPolicyMappingPresent())
                {
                    if(bPendingPolicyMapping)
                        nPendingPolicyMapping = min(nPendingPolicyMapping, policyConstraints->InhibitPolicyMapping());
                    else
                    {
                        bPendingPolicyMapping = true;
                        nPendingPolicyMapping = policyConstraints->InhibitPolicyMapping();
                    }
                }

                //added 02/10/03 - CRW
                if(0 == nPendingPolicyMapping)
                    indicators.set(CPKIFPathSettings::POLICY_MAPPING);

                CPKIFX509ExtensionPtr policyConstraints2 = policyConstraints;
                (*pos)->MarkExtensionAsProcessed(policyConstraints2);
            }

            //10.5.2 e) For any row not modified in either step c) or d), above (and every row in 
            //the case that there is no mapping extension present in the certificate), write the 
            //policy identifier from [path-depth] column in the [path-depth+1] column of the row.
            vector<CPKIFPolicyInformationListPtr>::iterator authSetPos;
            vector<CPKIFPolicyInformationListPtr>::iterator authSetEnd = authSet->end();
            const size_t pathDepthPlusOne = pathDepth + 1;
            for(authSetPos = authSet->begin(); authSetPos != authSetEnd; ++authSetPos)
            {
                const size_t curSize = (*authSetPos)->size();
                if(curSize == pathDepthPlusOne)
                {
                    CPKIFPolicyInformationPtr lastPol = (*authSetPos)->back();
                    (*authSetPos)->push_back(lastPol);
                }
            }

            //10.5.2 f) f)  If inhibit-any-policy-indicator is not set:
            //If the inhibit-any-policy-pending indicator is set and the certificate is not self-issued, 
            //decrement the corresponding skip-certificates value and, if this value becomes zero, set the 
            //inhibit-any-policy-indicator.
            //If the inhibitAnyPolicy constraint is present in the certificate, perform the following. 
            //For a SkipCerts value of 0, set the inhibit-any-policy-indicator. For any other SkipCerts value, 
            //set the inhibit-any-policy-pending indicator, and set the corresponding skip-certificates value 
            //to the lesser of the SkipCerts value and the previous skip-certificates value (if the 
            //inhibit-any-policy-pending indicator was already set).
            if(bPendingAnyPolicy && !isSelfIssued && !indicators[CPKIFPathSettings::ANY_POLICY])
            {
                --nPendingAnyPolicy;
                if(0 == nPendingAnyPolicy)
                {
                    indicators.set(CPKIFPathSettings::ANY_POLICY);
                }
            }

            CPKIFInhibitAnyPolicyPtr inhibitAnyPolicy = curCert->GetExtension<CPKIFInhibitAnyPolicy>();
            if(inhibitAnyPolicy != (CPKIFInhibitAnyPolicy*)NULL)
            {
                CPKIFX509ExtensionPtr inhibitAnyPolicy2 = inhibitAnyPolicy;
                (*pos)->MarkExtensionAsProcessed(inhibitAnyPolicy2);

                if(!indicators[CPKIFPathSettings::ANY_POLICY])
                {
                    if(bPendingAnyPolicy)
                        nPendingAnyPolicy = min(nPendingAnyPolicy, inhibitAnyPolicy->SkipCerts());
                    else
                    {
                        bPendingAnyPolicy = true;
                        nPendingAnyPolicy = inhibitAnyPolicy->SkipCerts();
                    }

                    //added 02/10/03 - CRW
                    if(0 == nPendingAnyPolicy)
                        indicators.set(CPKIFPathSettings::ANY_POLICY);
                }
            }

        }//end intermediate-only processing
        else //perform end entity processing
        {
            //check-off any of the extensions we'd typically process for an intermediate cert
            //but do not care about in this case so we can avoid failure due to unhandled critical extensions
    
            //do not process key usage - the application should have to provide a functor (i.e. callback) for that

            CPKIFBasicConstraintsPtr basicConstraints = curCert->GetExtension<CPKIFBasicConstraints>();
            bool isCA = false;
            if(basicConstraints != (CPKIFBasicConstraints*)NULL)
            {
                CPKIFX509ExtensionPtr basicConstraints2 = basicConstraints;
                (*pos)->MarkExtensionAsProcessed(basicConstraints2);
            }

            CPKIFPolicyMappingsPtr policyMappings = curCert->GetExtension<CPKIFPolicyMappings>();
            if(policyMappings != (CPKIFPolicyMappings*)NULL)
            {
                //Added this non-standard row per Santosh's analysis.  This may ultimately be reflected in 3280bis.
                ProcessPolicyMapping(policyMappings, indicators, *authSet);

                CPKIFX509ExtensionPtr policyMappings2 = policyMappings;
                (*pos)->MarkExtensionAsProcessed(policyMappings2);
            }

            CPKIFNameConstraintsPtr nameConstraints = curCert->GetExtension<CPKIFNameConstraints>();
            if(nameConstraints != (CPKIFNameConstraints*)NULL)
            {
                CPKIFX509ExtensionPtr nameConstraints2 = nameConstraints;
                (*pos)->MarkExtensionAsProcessed(nameConstraints2);
            }
            
            if(policyConstraints != (CPKIFPolicyConstraints*)NULL)
            {
                CPKIFX509ExtensionPtr policyConstraints2 = policyConstraints;
                (*pos)->MarkExtensionAsProcessed(policyConstraints2);
            }       

            CPKIFInhibitAnyPolicyPtr inhibitAnyPolicy = curCert->GetExtension<CPKIFInhibitAnyPolicy>();
            if(inhibitAnyPolicy != (CPKIFInhibitAnyPolicy*)NULL)
            {
                CPKIFX509ExtensionPtr inhibitAnyPolicy2 = inhibitAnyPolicy;
                (*pos)->MarkExtensionAsProcessed(inhibitAnyPolicy2);
            }
        }

        //10.5.3 a) if the explicit-policy-pending indicator is set and the certificate is not a 
        //self-issued intermediate certificate, decrement the corresponding skip-certificates value 
        //and, if this value becomes zero, set explicit-policy-indicator.       
    
        //changed !isSelfIssued to !(isSelfIssued && pos+1 != end) 3/11/2003 CRW
        //check should apply to end certs self issued or otherwise (if pos+1!=end then its an intermediate cert)
        if(bPendingExplicitPolicy && !(isSelfIssued && pos+1 != end) && !indicators[CPKIFPathSettings::EXPLICIT_POLICY])
        {
            --nPendingExplicitPolicy;
            if(0 == nPendingExplicitPolicy)
            {
                indicators.set(CPKIFPathSettings::EXPLICIT_POLICY);
            }
        }

        if(policyConstraints != (CPKIFPolicyConstraints*)NULL)
        {
            //already flagged this extension as processed above
            if(policyConstraints->RequireExplicitPolicyPresent())
            {
                if(bPendingExplicitPolicy)
                    nPendingExplicitPolicy = min(nPendingExplicitPolicy, policyConstraints->RequireExplicitPolicy());
                else
                {
                    bPendingExplicitPolicy = true;
                    nPendingExplicitPolicy = policyConstraints->RequireExplicitPolicy();
                }

                if(0 == nPendingExplicitPolicy)
                {
                    indicators.set(CPKIFPathSettings::EXPLICIT_POLICY);
                }
            }
        }

        if(indicators[CPKIFPathSettings::EXPLICIT_POLICY] && authSet->empty())
        {
            //go ahead and bail out if the authority set becomes NULL and 
            //require explicit policy is set.
            ERROR_OVERRIDE(PATH_NULL_AUTH_POLICY_SET);
        }

        CPKIFFuncStorageSingleton* fss = CPKIFFuncStorageSingleton::GetInstance();
        if(fss != (CPKIFFuncStorageSingleton*)NULL && !fss->empty())
        {
            try
            {
                if(pos+1 == end)
                    (*fss)(*pos, results, EE);
                else
                    (*fss)(*pos, results, INTERMEDIATE);
            }
            catch(CPKIFException&)
            {
                //delete e;

                ERROR_OVERRIDE(PATH_APP_DEFINED_CHECK_FAILED);
            }
        }

        //if there are any additional checks to perform do so now
        if(funcs != (CPKIFFuncStorage*)NULL && !funcs->empty())
        {
            try
            {
                if(pos+1 == end)
                    (*funcs)(*pos, results, EE);
                else
                    (*funcs)(*pos, results, INTERMEDIATE);
            }
            catch(CPKIFException&)
            {
                //delete e;

                ERROR_OVERRIDE(PATH_APP_DEFINED_CHECK_FAILED);
            }
        }

        //make sure critical subAltNames do not trip us up - 12/3/2003
        CPKIFSubjectAltNamePtr san = curCert->GetExtension<CPKIFSubjectAltName>();
        if(san != (CPKIFSubjectAltName*)NULL)
        {
            CPKIFX509ExtensionPtr san2 = san;
            (*pos)->MarkExtensionAsProcessed(san2);
        }

        //make sure all critical extensions have been processed
        if((*pos)->AreThereAnyUnprocessedCriticalExtensions())
        {
            ERROR_OVERRIDE(PATH_UNPROCESSED_CRITICAL_EXTENSION);
        }

        //update the status for the current node to reflect the fact that all 
        //basic validation checks were successfully performed
        (*pos)->GetStatus()->SetPassedValidationChecks(true);
    }//end iteration over path members

    //set up the results of this validation effort
//  results.SetAuthorityConstrainedSet(authSet);

    CPKIFPolicyInformationListPtr userSet(new CPKIFPolicyInformationList), initSet, authSetCondensed;
    results.GetAuthorityConstrainedSet(authSetCondensed);

    if(settings != (CPKIFPathSettings*)NULL)
        settings->GetInitialPolicySet(initSet);
    
    CPKIFPolicyInformationPtr anyPolicyPI(new CPKIFPolicyInformation(anyPolicy));

    if(initSet != (CPKIFPolicyInformationList*)NULL && !initSet->empty() && *anyPolicyPI == *initSet->front())
    {
        //if the initial policy set is not NULL, not empty and contains any policy then the
        //user set is the auth set
        userSet = authSetCondensed; 
    }
    else if(authSetCondensed != (CPKIFPolicyInformationList*)NULL && !authSetCondensed->empty() && *anyPolicyPI == *authSetCondensed->front())
    {
        //if the auth set is not empty and contains any policy then the user set is the initial set
        userSet = initSet; 
    }
    else if(initSet != (CPKIFPolicyInformationList*)NULL && !initSet->empty())
    {
        //otherwise we need the intersection of the two
        IntersectSets(authSetCondensed, initSet, userSet);
    }
    //otherwise userSet is empty
    if(permSubtreesSet)
        results.SetPermittedSubtrees(permSubtrees);
    results.SetExcludedSubtrees(exclSubtrees);
    if(bPendingExplicitPolicy)
        results.SetPendingExplicitPolicy(nPendingExplicitPolicy);
    if(bPendingPolicyMapping)
        results.SetPendingPolicyMapping(nPendingPolicyMapping);
    if(bPendingAnyPolicy)
        results.SetPendingAnyPolicy(nPendingAnyPolicy);
    if(bPathLength)
        results.SetPendingPathLength(nPathLength);

    //return the userSet and the require explicit policy indicator
    results.SetUserConstrainedSet(userSet);
    results.SetExplicitPolicyIndicator(indicators[CPKIFPathSettings::EXPLICIT_POLICY]);

    if(isPathGood && indicators[CPKIFPathSettings::EXPLICIT_POLICY] && userSet->empty())
    {
        //if the require explicit policy indicator is true and the user set is empty then
        //return failure

        //associate the failure with the last cert in the path
        CPKIFCertificateNodeEntryPtr lastCert = certNodeList.back();
        bool override = false;
        bool (*fp) (int, CPKIFCertificatePtr&,const CPKIFCertificatePath&) = settings->GetOverrideCallback(); 
        if(NULL != fp) 
        { 
            CPKIFCertificatePtr tmpCert = lastCert->GetCert();  
            if(fp(PATH_NULL_USER_POLICY_SET, tmpCert/*lastCert->GetCert()*/, path))
                override = true; 
        } 
        if(!override) 
        {
            CPKIFCertStatusPtr status(new CPKIFCertStatus); 
            status->SetDiagnosticCode(PATH_NULL_USER_POLICY_SET); 
            lastCert->SetStatus(status);    
            results.SetCertificate(lastCert); 
            isPathGood = false; 
            return false;
        }

    }

    //the path has earned a check mark
    //this should not always be setting this to true.  it should only set to true when the path is valid
    //fixed by changing from true to isPathGood - 2/25/2005
    results.SetBasicChecksSuccessfullyPerformed(isPathGood);

    //otherwise return the indication as set above (could be success or failure)
    return isPathGood;
}