CCACX509CRLChecker.cpp

Go to the documentation of this file.

#include "PKIFX509CRLChecker.h"
#include "PKIFCertificatePath.h"
#include "PKIFErrors.h"

#include "PKIFCacheInterfaces.h"
#include "PKIFPathInterfaces.h"
#include "PKIFCertificatePath.h"
#include "PKIFBasicPathState2.h"    //added 7/21/2005
#include "GeneralNamesCompare.h"

#include "Certificate.h"
#include "SubjectPublicKeyInfo.h"
#include "CRL.h"
#include "CRLEntry.h"
#include "PKIFCRLNodeEntry.h"

#include "AuthorityKeyIdentifier.h"
#include "SubjectKeyIdentifier.h"
#include "PolicyInformationSet.h"
#include "PolicyMappings.h"
#include "DeltaCRLIndicator.h"

#include "IssuingDistributionPoint.h"
#include "CRLDistributionPoints.h"
#include "CRLDistributionPoint.h"
#include "DistributionPointName.h"
#include "PKIFCRLInfo.h"
#include "GeneralName.h"
#include "AlgorithmIdentifier.h"

#include "BasicConstraints.h"
#include "CRLNumber.h"
#include "CRLStreamIdentifier.h"
#include "KeyUsage.h"
#include "FreshestCRL.h"
#include "Buffer.h"
#include "CRLReason.h"
#include "GottaMatch.h"
#include "PKIFTime.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFCryptoRawOperations.h"
#include "IPKIFHashContext.h"
#include "CertificateNodeListWithSourceInfo.h"
#include "PKIFPathSettings.h"
#include "PKIFCertStatus.h"
#include "ReasonFlags.h"
#include "ASN1Helper.h"
#include "PKIX1Explicit88.h"

#include "IPKIFCRLRepository.h"

#include "boost/numeric/conversion/cast.hpp"

#include <iterator>

using boost::numeric_cast;
using boost::bad_numeric_cast;

using namespace boost;
using namespace std;

//added declarations 7/21/2005 - implemented in CACDefaultScoring.cpp
extern bool scoreCompare(const CPKIFCertificateNodeEntryPtr& lhs, const CPKIFCertificateNodeEntryPtr& rhs);
extern bool KeyIDsMatch(CPKIFAuthorityKeyIdentifierPtr& akid, CPKIFCertificatePtr& curCert);
extern bool SomeMatch(CPKIFPolicyInformationSetPtr& fromCert, CPKIFPolicyInformationListPtr& polsFromPrevCert, CPKIFPolicyMappingsPtr& policyMappings);

#include "ToolkitUtils.h"
#include "PKIFCryptoErrors.h"               //crypto errors
#include "PKIFCryptoPPErrors.h"
#include "PKIFNSSErrors.h"
#include "PKIFKeyMaterial.h"

extern CPKIFOIDPtr g_ocspNoCheck;

//CRLs are classified based on the values found in the IssuingDistributionPoint and DeltaCRLIndicator
//extension, if present, without regard for criticality.  IssuingDistributionPoint is defined as follows
//(with related PKIF enumerations given as a ASN.1 comments for each field):
//
//  IssuingDistPointSyntax ::= SEQUENCE 
//  {
//      distributionPoint           [0] DistributionPointName   OPTIONAL,       -- CRLSCOPE
//      onlyContainsUserCerts       [1] BOOLEAN                 DEFAULT FALSE,  -- CRLCOVERAGE
//      onlyContainsAuthorityCerts  [2] BOOLEAN                 DEFAULT FALSE,  -- CRLCOVERAGE
//      onlySomeReasons             [3] ReasonFlags             OPTIONAL,       -- CRLREASONS
//      indirectCRL                 [4] BOOLEAN                 DEFAULT FALSE,  -- CRLAUTHORITY
//      onlyContainsAttributeCerts  [5] BOOLEAN                 DEFAULT FALSE   -- CRLCOVERAGE
//  }

//
//The DeltaCRLIndicator extension is simply an integer as defined below:
//
//  BaseCRLNumber ::= CRLNumber
//

//The CRLSCOPE enum indicates the scope of the CRL, i.e. complete, delta or distribution point (scoped by
//reason or other factors).  The value is determined by inspection of the DeltaCRLIndicator and/or
//the distributionPoint field of the IssuingDistributionPoint extension of the CRL.
//enum CRLSCOPE {CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP, CS_UNSUPPORTED};
//CS_COMPLETE   : The CRL contains no DeltaCRLIndicator indicator and either has no IssuingDistributionPoint
//                  extension or has an IssuingDistributionPoint extension with no distributionPoint field.
//CS_DP         : The CRL contains no DeltaCRLIndicator indicator and has an IssuingDistributionPoint extension 
//                  with a distributionPoint field.
//CS_DELTA      : The CRL contains a DeltaCRLIndicator indicator and either has no IssuingDistributionPoint
//                  extension or has an IssuingDistributionPoint extension with no distributionPoint field.
//CS_DELTA_DP   : The CRL contains a DeltaCRLIndicator indicator and has an IssuingDistributionPoint extension 
//                  with a distributionPoint field.
//CS_UNSUPPORTED: Unsupported by PKIF - to be determined

//The CRLCOVERAGE enum indicates the type(s) of entities covered by the CRL.  The value is
//determined by inspection of the onlyContainsUserCerts, onlyContainsAuthorityCerts and
//onlyContainsAttributeCerts fields of the IssuingDistributionPoint extension in the CRL.  CRLs that
//contain more than one onlyContainsXXX field can be considered invalid and discarded.  (The fields
//are logically a CHOICE and should've been defined as such.)
//enum CRLCOVERAGE {CC_ALL, CC_EEONLY, CC_CAONLY, CC_UNSUPPORTED};
//CC_ALL        : The CRL contains no IssuingDistributionPoint extension or has an IssuingDistributionPoint 
//                  extension with no onlyContainsUserCerts, onlyContainsAuthorityCerts or onlyContainsAttributeCerts
//                  fields.
//CC_EEONLY     : The CRL contains an IssuingDistributionPoint extension with onlyContainsUserCerts present.
//CC_CAONLY     : The CRL contains an IssuingDistributionPoint extension with onlyContainsAuthorityCerts present.
//CC_UNSUPPORTED: Unsupported by PKIF - the CRL contains an IssuingDistributionPoint extension with 
//                  onlyContainsAttributeCerts present.

//The CRLCOVERAGE value determines the attributes to search when retrieving CRLs from a directory.
//Below are the relationship between each enumerated value and directory attributes:
//  CC_ALL      : certificateRevocationList, authorityRevocationList
//  CC_EEONLY   : certificateRevocationList
//  CC_CAONLY   : authorityRevocationList

//The CRLAUTHORITY enum indicates whether or not the CRL includes revocation notifications for CAs other
//than the issuer of the CRL.  The value is determined by inspection of the indirectCRL field of the 
//IssuingDistributionPoint extension of the CRL.
//enum CRLAUTHORITY {CA_DIRECT, CA_INDIRECT};
//CA_DIRECT     : The CRL contains no IssuingDistributionPoint extension or has an IssuingDistributionPoint 
//                  extension with no indirectCRL field.
//CA_INDIRECT   : The CRL contains an IssuingDistributionPoint extension with indirectCRL present.

//The CRLREASONS enum indicates whether or not the CRL covers all reason codes or a subset.  The value is 
//determined by inspection of the onlySomeReasons field of the IssuingDistributionPoint extension of the CRL.
//enum CRLREASONS {CR_ALLREASONS, CR_SOMEREASONS};
//CR_ALLREASONS : The CRL contains no IssuingDistributionPoint extension or has an IssuingDistributionPoint 
//                  extension with no onlySomeReasons field.
//CR_SOMEREASONS: The CRL contains an IssuingDistributionPoint extension with onlySomeReasons present.

//Annex B of X.509 defines the following types of CRLs (given below along with CRLCOVERAGE, CRLSCOPE
//and CRLAUTHORITY values that define the type)
//- Full and complete CRL,              (CC_ALL,    CS_COMPLETE,    CA_DIRECT)
//                    EPRL,             (CC_EEONLY, CS_COMPLETE,    CA_DIRECT)
//                    or CARL;          (CC_CAONLY, CS_COMPLETE,    CA_DIRECT)

//- Indirect CRL,                       (CC_ALL,    CS_COMPLETE,    CA_INDIRECT) 
//           EPRL                       (CC_EEONLY, CS_COMPLETE,    CA_INDIRECT)
//           or CARL (ICRL);            (CC_CAONLY, CS_COMPLETE,    CA_INDIRECT)

//- Delta CRL (dCRL),                   (CC_ALL,    CS_DELTA,       CA_DIRECT)
//        dEPRL                         (CC_EEONLY, CS_DELTA,       CA_DIRECT)
//        or dCARL;                     (CC_CAONLY, CS_DELTA,       CA_DIRECT)

//- Indirect dCRL,                      (CC_ALL,    CS_DELTA,       CA_INDIRECT)
//           dEPRL                      (CC_EEONLY, CS_DELTA,       CA_INDIRECT)
//           or dCARL.                  (CC_CAONLY, CS_DELTA,       CA_INDIRECT)

//- Distribution Point CRL,             (CC_ALL,    CS_DP,          CA_DIRECT)
//                     EPRL             (CC_EEONLY, CS_DP,          CA_DIRECT)
//                     or CARL;         (CC_CAONLY, CS_DP,          CA_DIRECT)

//Annex B of X.509 does not identify Indirect Distribution Point CRLs, Delta Distribution Point CRLs
//or Indirect Delta Distribution Point CRLs
//- Indirect Distribution Point CRL,    (CC_ALL,    CS_DP,          CA_INDIRECT)
//                              EPRL    (CC_EEONLY, CS_DP,          CA_INDIRECT)
//                              or CARL;(CC_CAONLY, CS_DP,          CA_INDIRECT)

//- Delta Distribution Point CRL,       (CC_ALL,    CS_DELTA_DP,    CA_DIRECT)
//        EPRL                          (CC_EEONLY, CS_DELTA_DP,    CA_DIRECT)
//        or CARL;                      (CC_CAONLY, CS_DELTA_DP,    CA_DIRECT)

//- Indirect Delta Distrib. Point CRL,  (CC_ALL,    CS_DELTA_DP,    CA_INDIRECT)
//           EPRL                       (CC_EEONLY, CS_DELTA_DP,    CA_INDIRECT)
//           or CARL.                   (CC_CAONLY, CS_DELTA_DP,    CA_INDIRECT)

//For each of the 24 types of CRLs identified above there are 2 possible varieties: CR_ALLREASONS, CR_SOMEREASONS.
//There are 48 types of CRLs in total.

//6 types of certificates are defined (in CPKIFX509CRLChecker.h)
//enum CERTTYPES {CT_EE_CRIT, CT_EE_NONCRIT, CT_EE, CT_CA_CRIT, CT_CA_NONCRIT, CT_CA, CT_UNSUPPORTED};
//enum CRLSCOPE {CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP, CS_UNSUPPORTED};
bool g_CompatibleScope[CPKIFX509CRLChecker::CT_UNSUPPORTED][CPKIFX509CRLChecker::CS_UNSUPPORTED] = {
    {true, true, true, true},
    {true, false, true, false},
    {true, true, true, true},
    {true, false, true, false}
};

//enum CRLCOVERAGE {CC_ALL, CC_EEONLY, CC_CAONLY, CC_UNSUPPORTED};
bool g_CompatibleCoverage[CPKIFX509CRLChecker::CT_UNSUPPORTED][CPKIFX509CRLChecker::CC_UNSUPPORTED] = {
    {true, true, false},
    {true, true, false},
    {true, false, true},
    {true, false, true}
};

//
//End-entity certificate with critical CRL DP or freshestCRL        (CT_EE_CRIT)
//End-entity certificate with non-critical CRL DP or freshestCRL    (CT_EE_NONCRIT)
//End-entity certificate with no CRL DP nor freshestCRL             (CT_EE)

//CA certificate with critical CRL DP or freshestCRL                (CT_CA_CRIT)
//CA certificate with non-critical CRL DP or freshestCRL            (CT_CA_NONCRIT)
//CA certificate with no CRL DP nor freshestCRL                     (CT_CA)

//The CRL types that are permissible for each type of certificate are given below.
//CRLREASONS are not considered as either value is always permissible from a validation point of view
//and depend on the reason codes of interest indicated by an application.  CRLAUTHORITY is not considered
//as either value is always permissible.  The total number of permissible CRLs for each cert type is 
//always the number identified below multiplied by four.

//End-entity certificate with non-critical CRL DP or freshestCRL    (CT_EE_CRIT)
//PERMISSIBLE TYPES (8)
//  - CRLSCOPE      : CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP
//  - CRLCOVERAGE   : CC_ALL, CC_EEONLY

//End-entity certificate with non-critical CRL DP or freshestCRL    (CT_EE_NONCRIT)
//PERMISSIBLE TYPES (8)
//  - CRLSCOPE      : CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP
//  - CRLCOVERAGE   : CC_ALL, CC_EEONLY

//End-entity certificate with no CRL DP nor freshestCRL             (CT_EE)
//PERMISSIBLE TYPES (4)
//  - CRLSCOPE      : CS_COMPLETE, CS_DELTA
//  - CRLCOVERAGE   : CC_ALL, CC_EEONLY

//CA certificate with non-critical CRL DP or freshestCRL            (CT_CA_CRIT)
//PERMISSIBLE TYPES (8)
//  - CRLSCOPE      : CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP
//  - CRLCOVERAGE   : CC_ALL, CC_CAONLY

//CA certificate with non-critical CRL DP or freshestCRL            (CT_CA_NONCRIT)
//PERMISSIBLE TYPES (8)
//  - CRLSCOPE      : CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP
//  - CRLCOVERAGE   : CC_ALL, CC_CAONLY

//CA certificate with no CRL DP nor freshestCRL                     (CT_CA)
//PERMISSIBLE TYPES (4)
//  - CRLSCOPE      : CS_COMPLETE, CS_DELTA
//  - CRLCOVERAGE   : CC_ALL, CC_CAONLY

//CRL Processing Steps 
//
//1)    Classify the target certificate as one of the 4 types of certificate 
//2)    Determine the CRLs to obtain  
//      a.  Identify the CRL types that apply (i.e. consult a static table w/ permissible CRLCOVERAGE and 
//          CRLSCOPE values for each cert type) 
//      b.  Identify locations from which to retrieve CRLs (i.e. certificate issuer directory entry vs. 
//          CRLDP/freshestCRL) 
//3)    Obtain CRL(s) - fail if no CRLs can be obtained 
//4)    For each CRL, determine CRL and cert compatibility 
//      a.  Confirm that the CRL type and cert type are compatible (discard CRL upon failure) 
//      b.  Validate CRL issuer name (discard CRL upon failure) 
//          i.  One of the names in a CRL DP crlIssuer field or the cert issuer shall match the CRL issuer.  
//              If a CRL DP produced the match, set the active CRLDP state variable to the CRL DP containing 
//              matching crlIssuer field.  
//      c.  Validate DP (discard CRL upon failure) 
//          i.  If the active CRL DP is set and an IDP w/distribution point field is present in the CRL, one 
//              of the names in the active CRL DP shall match one of the names in the IDP DP.  If the active 
//              CRL DP is not set and an IDP w/distribution point field is present, one of the names in a CRL 
//              DP shall match one of the names in the IDP DP and the active CRL DP should be set to the CRL 
//              DP that matches the IDP.  
//          ii. If reasons field is present in the active CRL DP, the onlySomeReasons field of the IDP shall 
//              be absent or contain at least one of the reason codes asserted in the CRL DP 
//      d.  Validate CRL authority (discard CRL upon failure) 
//          i.  If the CRL issuer name does not match the cert issuer name, the indirectCRL field must be 
//              present in the IDP. 
//5)    For each CRL, determine CRL validity
//      a.  Currency check (discard CRL upon failure)
//      b.  Signature check (discard CRL upon failure)
//      c.  Validate delta scope (upon failure discard the CRL or set it aside pending acquisition of 
//          additional CRLs)
//      d.  Process remaining CRL extensions
//6)    Determine if all necessary CRLs were obtained 
//      a.  Process critical CRL DP and/or freshestCRL extensions (if requirements are not met try to obtain 
//          additional CRLs or fail)
//      b.  Process reason codes of interest (If requirements are not met try to obtain additional CRLs or fail) 
//      c.  Discard extraneous CRLs (optional) 
//7)    For each CRL, review revocation notifications
//      a.  Check certificate status 
//          i.  If certificate is found on a CRL, process any CRL entry extensions


#include "CRLType.h"
struct CPKIFX509CRLCheckerImpl {
  // "parent" will hold a pointer to encapsulating class.
  // This is used so we have a handle to CPKIFX509CRLChecker,
  // allowing us to access its attributes.
  CPKIFX509CRLChecker *m_parent;

    CPKIFX509CRLCheckerImpl () 
    {
    m_parent = 0;
    }
    CPKIFX509CRLCheckerImpl (CPKIFX509CRLChecker  *p) 
    {
    m_parent = p;
    }
  
  CPKIFReasonFlagsPtr m_reasons;
  CPKIFPathSettingsPtr m_settings;

  //status check function that is invoked by both CheckStatus and CheckStatusPath from the public interface
  bool CheckStatusInternal(const CPKIFCertificatePtr& targetCert, IPKIFNameAndKey* issuersCertNK, const CPKIFCertificatePtr& issuersCert,
                           RevocationStatus& status, CPKIFCertStatusPtr& certStatus, bool validatePathToDirectCRLs, CPKIFPathSettingsPtr& settings, IPKIFTrustAnchorPtr& rootFromPath);

  //functions that implement the CRL processing steps defined at the top of CACX509CRLChecker.cpp
  //1) performed in CheckStatusInternal (simple call to ClassifyCert)
  //2) handled by cache colleagues
  //3)
  void ObtainCRLs(const CPKIFCertificatePtr& targetCert, PKIInfoSource& source, CPKIFCRLList& crlList, CPKIFPathSettingsPtr& settings);
  //4 & 5)
  void DetermineCompatibilityAndValidity(const CPKIFCertificatePtr& targetCert, IPKIFNameAndKey* issuersCertNK,  const CPKIFCertificatePtr& issuersCert,
                                         CPKIFCRLList& crlList, bool validatePathToDirectCRLs, CPKIFCRLList& quarantinedCRLs, CPKIFPathSettingsPtr& settings,AssociatedCRLsList& acl, IPKIFTrustAnchorPtr& rootFromPath);
  //6)
  bool DoWeHaveEverythingWeNeed(const CPKIFCertificatePtr& targetCert, CPKIFCRLList& crlList, CPKIFCRLList& quarantinedCRLs); 
  //7) performed by following two functions
  void SeeIfCertHasBeenRevoked(const CPKIFCertificatePtr& targetCert, AssociatedCRLsList& crlList,
                               RevocationStatus& status, CPKIFCertStatusPtr& certStatus, CPKIFCRLInfoPtr& crlInfo);

  //functions that are called by the above functions
  //commented out unused function - the path building stuff was 
  //directly invoked in indirectCRL cases without using this function
  //8/26/2004
  //    bool ValidatePath(CPKIFCertificatePtr& signersCert);
  bool PerformCurrencyAndSignatureChecks(const CPKIFCertificatePtr& targetCert, 
                                         IPKIFNameAndKey* issuersCertNK, const CPKIFCertificatePtr& issuersCert, CPKIFCRLPtr& crl, const CPKIFX509CRLChecker::CRLAUTHORITY authority, 
                                         bool validatePathToDirectCRLs, std::vector<CPKIFX509ExtensionPtr>& processedExts, bool requireFresh, CPKIFPathSettingsPtr& settings, IPKIFTrustAnchorPtr& rootFromPath); //added settings param 9/26/03
                                                                                                                                                                                                                //added root param 4/6/06
};
//----------------------------------------------------------------------------------------------------
//
//  functions classify certs and crls
//
//----------------------------------------------------------------------------------------------------
CPKIFCRLTypePtr _TypeOfCRL(
    const CPKIFCRLPtr& crl)
{
    LOG_STRING_DEBUG("_TypeOfCRL", TOOLKIT_PATH_MISC, 0, NULL);

    //This function will determine the "type" of CRL in terms of X.509 Annex B.  The are 48 types
    //of CRLs.  Four enumerations comprise the CRL classification system.

    //Below we will inspect the extensions in the CRL and ask a series of yes/no questions.  
    //The answers to these questions will be collected in the following bitset
    //and analyzed below to determine the "type" of CRL.
    enum QUESTIONS {ARE_YOU_EE_ONLY = 0, ARE_YOU_CA_ONLY, ARE_YOU_AA_ONLY,
                    ARE_YOU_DELTA, ARE_YOU_DP, ARE_YOU_INDIRECT, ONLY_SOME_REASONS};
    std::bitset<7> questionnaire;
    questionnaire.reset();

    //get the extensions of interest, if present
    CPKIFDeltaCRLIndicatorPtr delta = crl->GetExtension<CPKIFDeltaCRLIndicator>();
    CPKIFIssuingDistributionPointPtr idp = crl->GetExtension<CPKIFIssuingDistributionPoint>();

    CPKIFCRLTypePtr type(new CPKIFCRLType);

    //if neither are present then we have a complete CRL
    if(delta == (CPKIFDeltaCRLIndicator*)NULL && idp == (CPKIFIssuingDistributionPoint*)NULL)
    {
        type->SetCRLCoverage(CPKIFX509CRLChecker::CC_ALL);
        type->SetCRLScope(CPKIFX509CRLChecker::CS_COMPLETE);
        type->SetCRLAuthority(CPKIFX509CRLChecker::CA_DIRECT);
        type->SetCRLReasons(CPKIFX509CRLChecker::CR_ALLREASONS);
        return type;
    }

    //if delta extension is present, set corresponding flag in questionnaire
    if(delta != (CPKIFDeltaCRLIndicator*)NULL)
        questionnaire.set(ARE_YOU_DELTA, true);

    //if delta extension is present, ask series of questions
    if(idp != (CPKIFIssuingDistributionPoint*)NULL)
    {
        //The IDP structure is clumsily constructed.  We will query the 
        //three "only contains" fields as if they were a choice, as they should've
        //been defined in the first place.  If after discovering a set "only contains" 
        //flag we learn that other flags are set we leave the type set to UNSUPPORTED
        //(in absence of a BUSTED enum value) and return.
        if(idp->OnlyContainsUserCerts())
        {
            if(idp->OnlyContainsAuthorityCerts() || idp->OnlyContainsAttributeCerts())
                return type;
            questionnaire.set(ARE_YOU_EE_ONLY, true);
        }
        else if(idp->OnlyContainsAuthorityCerts())
        {
            if(idp->OnlyContainsUserCerts() || idp->OnlyContainsAttributeCerts())
                return type;
            questionnaire.set(ARE_YOU_CA_ONLY, true);
        }
        else if(idp->OnlyContainsAttributeCerts())
        {
            if(idp->OnlyContainsUserCerts() || idp->OnlyContainsAuthorityCerts())
                return type;
            questionnaire.set(ARE_YOU_AA_ONLY, true);
        }

        //next ask if it's indirect
        if(idp->IndirectCRL())
            questionnaire.set(ARE_YOU_INDIRECT, true);

        //now see if it's a DP
        CPKIFDistributionPointNamePtr dp = idp->DistributionPoint();
        if(dp != (CPKIFDistributionPointName*)NULL)
            questionnaire.set(ARE_YOU_DP, true);

        //see if it has some reasons or all
        if(idp->OnlySomeReasons())
            questionnaire.set(ONLY_SOME_REASONS, true);

    }

    //having completed the questionnaire, analyze the results
    if(!questionnaire[ARE_YOU_AA_ONLY])
    {
        //determine coverage
        if(questionnaire[ARE_YOU_EE_ONLY])
            type->SetCRLCoverage(CPKIFX509CRLChecker::CC_EEONLY);
        else if(questionnaire[ARE_YOU_CA_ONLY])
            type->SetCRLCoverage(CPKIFX509CRLChecker::CC_CAONLY);
        else
            type->SetCRLCoverage(CPKIFX509CRLChecker::CC_ALL);

        //determine authority
        if(questionnaire[ARE_YOU_INDIRECT])
            type->SetCRLAuthority(CPKIFX509CRLChecker::CA_INDIRECT);
        else
            type->SetCRLAuthority(CPKIFX509CRLChecker::CA_DIRECT);

        //determine scope
        if(questionnaire[ARE_YOU_DP])
            type->SetCRLScope(CPKIFX509CRLChecker::CS_DP);
        else if(questionnaire[ARE_YOU_DELTA])
            type->SetCRLScope(CPKIFX509CRLChecker::CS_DELTA);
        else
            type->SetCRLScope(CPKIFX509CRLChecker::CS_COMPLETE);

        //determine reasons
        if(questionnaire[ONLY_SOME_REASONS])
            type->SetCRLReasons(CPKIFX509CRLChecker::CR_SOMEREASONS);
        else
            type->SetCRLReasons(CPKIFX509CRLChecker::CR_ALLREASONS);
    }
    else
    {
        //XXX-DEFER Do work here to support ACRL, AARL, etc.
    }
    return type;
}
CPKIFX509CRLChecker::CERTTYPES _ClassifyCert(
    const CPKIFCertificatePtr& targetCert)
{
    LOG_STRING_DEBUG("_ClassifyCert", TOOLKIT_PATH_MISC, 0, NULL);

    //One enumeration defines the cert classification system, which is nothing more
    //than a check of basicConstraints and CRL DP extensions.

    bool isCA = false, hasCRLDP = false;
    CPKIFBasicConstraintsPtr bc = targetCert->GetExtension<CPKIFBasicConstraints>();
    if(bc != (CPKIFBasicConstraints*)NULL)
    {
        if(bc->isCA())
            isCA = true;
    }

    CPKIFCRLDistributionPointsPtr crlDP = targetCert->GetExtension<CPKIFCRLDistributionPoints>();
    if(crlDP != (CPKIFCRLDistributionPoints*)NULL)
    {
        hasCRLDP = true;
    }

    if(isCA && hasCRLDP)
        return CPKIFX509CRLChecker::CT_CA_DP;
    else if(!isCA && hasCRLDP)
        return CPKIFX509CRLChecker::CT_EE_DP;
    else if(isCA)
        return CPKIFX509CRLChecker::CT_CA;
    else
        return CPKIFX509CRLChecker::CT_EE;
}

//commented out unused functions 8/26/2004
//bool _IsEE(CPKIFX509CRLChecker::CERTTYPES& ct)
//{
//  return ct <= CPKIFX509CRLChecker::CERTTYPES::CT_EE;
//}
//bool _IsCA(CPKIFX509CRLChecker::CERTTYPES& ct)
//{
//  return !_IsEE(ct);
//}

//----------------------------------------------------------------------------------------------------
//
//  functions that perform lower level CRL processing steps
//
//----------------------------------------------------------------------------------------------------
//4-b
/*
//this function was deprecated and replaced by _ValidateCRLIssuerName2
//it was commented out because it is not used 8/26/2004
bool _ValidateCRLIssuerName(const CPKIFCertificatePtr& targetCert, CPKIFCRLDistributionPointListPtr& dpsFromCRLDP, 
                            const CPKIFCRLPtr& crl, CPKIFX509CRLChecker::CRLSCOPE scope, CPKIFCRLDistributionPointPtr& activeCRLDP)
{
    LOG_STRING_DEBUG("_ValidateCRLIssuerName", TOOLKIT_PATH_MISC, 0, NULL);

    //This function assumes that the CRL type and cert type are compatible.  If they are not - BOOM!
    //Thus, make sure this function is only called after checking type compatibility.
    bool foundMatch = false;
    if(activeCRLDP != (CPKIFCRLDistributionPoints*)NULL)
    {
        //next see if any crlIssuer from the current distribution point matches a name from the IDP
        CPKIFGeneralNameList crlIssuersFromCRLDP;
        activeCRLDP->CRLIssuer(crlIssuersFromCRLDP);

        CPKIFNamePtr crlIssuer = crl->Issuer();
        bool foundMatch = false;

        CPKIFGeneralNameList::iterator pos;
        CPKIFGeneralNameList::iterator end = crlIssuersFromCRLDP.end();
        for(pos = crlIssuersFromCRLDP.begin(); pos != end; ++pos)
        {
            if(CPKIFGeneralName::GENNAMETYPE::DIRECTORYNAME == (*pos)->GetType())
            {
                CPKIFNamePtr tmpName = (*pos)->directoryName();
                if(*tmpName == *crlIssuer)
                {
                    foundMatch = true;
                    break;
                }
            }
        }
    }
    else
    {
        //if we get here then the issuer of the certificate must be the issuer of the CRL
        CPKIFNamePtr crlIssuer = crl->Issuer();
        CPKIFNamePtr certIssuer = targetCert->Issuer();
        if(*crlIssuer == *certIssuer)
            foundMatch = true;
    }

    return foundMatch;
}
*/
bool _ValidateCRLIssuerName2(
    const CPKIFCertificatePtr& targetCert,
    CPKIFCRLDistributionPointListPtr& dpsFromCRLDP, 
    const CPKIFCRLPtr& crl,
    CPKIFX509CRLChecker::CRLSCOPE scope, 
    CPKIFCRLDistributionPointPtr& activeCRLDP)
{
    LOG_STRING_DEBUG("_ValidateCRLIssuerName2", TOOLKIT_PATH_MISC, 0, NULL);

    //----------------------------------------------------------------------------------------------------
    //clear active CRL DP
    //----------------------------------------------------------------------------------------------------
    CPKIFCRLDistributionPointPtr tmpEmpty;
    activeCRLDP = tmpEmpty;

    //----------------------------------------------------------------------------------------------------
    // see if the CRL issuer matches the cert issuer
    //      if it does return true w/o setting active CRLDP
    //----------------------------------------------------------------------------------------------------
    CPKIFNamePtr crlIssuer = crl->Issuer();
    CPKIFNamePtr certIssuer = targetCert->Issuer();

    //relocated this check to below if no DPs are present - 12/7/2003
    //if(*crlIssuer == *certIssuer)
    //  return true;

    //----------------------------------------------------------------------------------------------------
    // see if the CRL issuer matches a CRL DP
    //----------------------------------------------------------------------------------------------------
    //if no DPs were passed in then none match - return false
    if(dpsFromCRLDP == (CPKIFCRLDistributionPointList*)NULL)
    {
        if(*crlIssuer == *certIssuer)
            return true;
        else
            return false;
    }

    bool crlIssuerSpecifiedInDP = false;

    //iterate over all DPs from the CRL DP and see if any match the IDP
    //(either the DP or crlIssuer from the CRL DP can produce the match)
    CPKIFCRLDistributionPointList::iterator pos;
    CPKIFCRLDistributionPointList::iterator end = dpsFromCRLDP->end();
    for(pos = dpsFromCRLDP->begin(); pos != end; ++pos)
    {
        //see if the crlIssuer from the current CRL DP matches the CRL issuer
        CPKIFGeneralNameList fromPosCrlIssuer;
        (*pos)->CRLIssuer(fromPosCrlIssuer);

        CPKIFGeneralNameList::iterator gnPos;
        CPKIFGeneralNameList::iterator gnEnd = fromPosCrlIssuer.end();
        for(gnPos = fromPosCrlIssuer.begin(); gnPos != gnEnd; ++gnPos)
        {
            crlIssuerSpecifiedInDP = true;
            if(CPKIFGeneralName::DIRECTORYNAME == (*gnPos)->GetType())
            {
                CPKIFNamePtr fromCRLDP = (*gnPos)->directoryName();
                if(fromCRLDP != (CPKIFName*)NULL && *fromCRLDP == *crlIssuer)
                {
                    activeCRLDP = *pos;
                    return true;
                }
            }
        }
    }

    //added this check 12/7/2003
    if(!crlIssuerSpecifiedInDP)
    {
        if(*crlIssuer == *certIssuer)
            return true;
    }

    //if neither the cert issuer nor a CRL DP matched the CRL issuer...
    return false;
}
bool _ValidateDP2(
    CPKIFCRLDistributionPointListPtr& dpsFromCRLDP, 
    const CPKIFCRLPtr& crl, 
    CPKIFX509CRLChecker::CRLSCOPE scope,
    CPKIFCRLDistributionPointPtr& activeCRLDP, 
    CPKIFX509CRLChecker::CRLREASONS reasons)
{
    LOG_STRING_DEBUG("_ValidateDP2", TOOLKIT_PATH_MISC, 0, NULL);

    //  4- c) Validate DP (discard CRL upon failure)
    //      If IDP w/distribution point field is present, one of the names in the CRL DP shall match one
    //      of the names in the IDP.  
    if(CPKIFX509CRLChecker::CS_DP == scope || CPKIFX509CRLChecker::CS_DELTA_DP == scope)
    {
        //if it's a DP CRL but cert has no CRL DP then return false
        if(dpsFromCRLDP == (CPKIFCRLDistributionPointList*)NULL)
            return false;

        //otherwise grab the IDP and DP name from the IDP (assume there is an IDP w/DP thanks to scope)
        CPKIFIssuingDistributionPointPtr idp = crl->GetExtension<CPKIFIssuingDistributionPoint>();
        CPKIFDistributionPointNamePtr dpFromIDP = idp->DistributionPoint();
        CPKIFGeneralNameList gnsFromIDP;
        if(!dpFromIDP->NameRelativeToIssuerPresent())
            dpFromIDP->FullName(gnsFromIDP);
        else
        {
            CPKIFNamePtr iss = crl->Issuer();
            CPKIFNamePtr relAsFull = dpFromIDP->GetRelativeNameAsFullName(iss);
            CPKIFGeneralNamePtr gnp(new CPKIFGeneralName(relAsFull));
            gnsFromIDP.push_back(gnp);          
        }

        bool foundMatch = false;
        if(activeCRLDP != (CPKIFCRLDistributionPoint*)NULL)
        {
            //if there's an active CRL DP, i.e. on that produced a match in the CRL issuer validation
            //function - then use require that DP to match here
            CPKIFDistributionPointNamePtr fromActive = activeCRLDP->DistributionPoint();
            if(!fromActive->NameRelativeToIssuerPresent())
            {
                if(*fromActive == *dpFromIDP)
                    foundMatch = true;
            }
            else
            {
                CPKIFNamePtr iss = crl->Issuer();
                CPKIFNamePtr relName = fromActive->GetRelativeNameAsFullName(iss);
                CPKIFGeneralNamePtr gnpFromCrlDp(new CPKIFGeneralName(relName));    
                CPKIFGeneralNameList gnsFromCDP;
                gnsFromCDP.push_back(gnpFromCrlDp);

                GeneralNamesCompare gnc;
                gnc.SetGeneralNames(&gnsFromCDP);

                CPKIFGeneralNameList::iterator idpEnd = gnsFromIDP.end();
                if(idpEnd != find_if(gnsFromIDP.begin(), gnsFromIDP.end(), gnc))
                {
                    foundMatch = true;
                }
            }
        }
        else
        {
            //if there is no active CRL DP then any CRL DP can produce a match
            CPKIFCRLDistributionPointList::iterator pos;
            CPKIFCRLDistributionPointList::iterator end = dpsFromCRLDP->end();
            for(pos = dpsFromCRLDP->begin(); pos != end; ++pos)
            {
                //first see if a distribution point name from the current distribution point
                //matches a name from the IDP
                CPKIFDistributionPointNamePtr fromPos = (*pos)->DistributionPoint();
                if(!fromPos->NameRelativeToIssuerPresent())
                {
                    if(!dpFromIDP->NameRelativeToIssuerPresent())
                    {
                        if(*fromPos == *dpFromIDP)
                        {
                            foundMatch = true;
                            break;
                        }
                    }
                    else
                    {
                        CPKIFGeneralNameList gnsFromCDP;
                        fromPos->FullName(gnsFromCDP);

                        GeneralNamesCompare gnc;
                        gnc.SetGeneralNames(&gnsFromCDP);

                        CPKIFGeneralNameList::iterator idpEnd = gnsFromIDP.end();
                        if(idpEnd != find_if(gnsFromIDP.begin(), gnsFromIDP.end(), gnc))
                        {
                            foundMatch = true;
                            break;
                        }
                    }

                    //next see if any crlIssuer from the current distribution point matches a name from the IDP
                    CPKIFGeneralNameList crlIssuer;
                    (*pos)->CRLIssuer(crlIssuer);

                    if(!crlIssuer.empty())
                    {
                        GeneralNamesCompare gnc;
                        gnc.SetGeneralNames(&crlIssuer);

                        CPKIFGeneralNameList::iterator idpEnd = gnsFromIDP.end();
                        if(idpEnd != find_if(gnsFromIDP.begin(), gnsFromIDP.end(), gnc))
                        {
                            foundMatch = true;
                            break;
                        }
                    }
                }
                else
                {
                    CPKIFNamePtr iss = crl->Issuer();
                    CPKIFNamePtr cdpRelNameAsFull = fromPos->GetRelativeNameAsFullName(iss);
                    CPKIFGeneralNamePtr gnpFromCrlDp(new CPKIFGeneralName(cdpRelNameAsFull));   
                    CPKIFGeneralNameList gnsFromCDP;
                    gnsFromCDP.push_back(gnpFromCrlDp);


                    //compare it to the DP from the IDP
                    GeneralNamesCompare gnc;
                    gnc.SetGeneralNames(&gnsFromCDP);

                    CPKIFGeneralNameList::iterator idpEnd = gnsFromIDP.end();
                    if(idpEnd != find_if(gnsFromIDP.begin(), gnsFromIDP.end(), gnc))
                    {
                        foundMatch = true;
                        break;
                    }
                }
            }
        }

        //if no DP matches then return false
        if(!foundMatch)
            return false;
    }

    //contain at least one of the reason codes asserted in the CRL DP (but, in this version, reason-based 
    //partitioning not supported)
    if(CPKIFX509CRLChecker::CR_ALLREASONS != reasons)
    {
        CPKIFIssuingDistributionPointPtr idp = crl->GetExtension<CPKIFIssuingDistributionPoint>();
        if(activeCRLDP != (CPKIFCRLDistributionPoint*)NULL)
        {
            CPKIFReasonFlagsPtr idpRF = idp->GetReasons();
            CPKIFReasonFlagsPtr cdpRF = activeCRLDP->Reasons();

            if(idpRF != (CPKIFReasonFlags*)NULL && cdpRF != (CPKIFReasonFlags*)NULL)
            {
                if(idpRF->GetCACompromise() && cdpRF->GetCACompromise())
                    return true;
                else if(idpRF->GetKeyCompromise() && cdpRF->GetKeyCompromise())
                    return true;
                else if(idpRF->GetAACompromise() && cdpRF->GetAACompromise())
                    return true;
                else if(idpRF->GetPrivilegeWithdrawn() && cdpRF->GetPrivilegeWithdrawn())
                    return true;
                else if(idpRF->GetCertificateHold() && cdpRF->GetCertificateHold())
                    return true;
                else if(idpRF->GetCessationOfOperation() && cdpRF->GetCessationOfOperation())
                    return true;
                else if(idpRF->GetSuperseded() && cdpRF->GetSuperseded())
                    return true;
                else if(idpRF->GetAffiliationChanged() && cdpRF->GetAffiliationChanged())
                    return true;
                else if(idpRF->GetUnused() && cdpRF->GetUnused())
                    return true;
                else
                    return false;
            }
        }
    }

    //if we get here then the CRL is: OK DP-wise and not partitioned using reason codes
    return true;
}

//4-d
bool _ValidateCRLAuthority(
    const CPKIFCertificatePtr& targetCert, 
    const CPKIFCRLPtr& crl, 
    CPKIFX509CRLChecker::CRLAUTHORITY authority)
{
    LOG_STRING_DEBUG("_ValidateCRLAuthority", TOOLKIT_PATH_MISC, 0, NULL);

    //  d) Validate CRL authority (discard CRL upon failure)
    //      If the CRL issuer name does not match the cert issuer name, the indirectCRL field must be present
    //      in the IDP.
    const CPKIFNamePtr& certIssuer = targetCert->Issuer();
    const CPKIFNamePtr& crlIssuer = crl->Issuer();
    if(!(*crlIssuer == *certIssuer) && CPKIFX509CRLChecker::CA_INDIRECT != authority)
        return false;
    else
        return true;
}

// If lhs > rhs return -1.  If lhs == rhs return 0.  If lhs < rhs   return 1
int _CompareCRLNumbers(
    const char* lhs, 
    const char* rhs)
{
    LOG_STRING_DEBUG("_CompareCRLNumbers", TOOLKIT_PATH_MISC, 0, NULL);

    if (NULL == lhs || NULL == rhs)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER, COMMON_INVALID_INPUT, "NULL CRL number passed to _CompareCRLNumbers.");

    size_t lhsLen = strlen(lhs);
    size_t rhsLen = strlen(rhs);

    //min length must account for 0x and at least one byte
    if (lhsLen < 3 || rhsLen < 3)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER, COMMON_INVALID_INPUT, "Invalid CRL number passed to _CompareCRLNumbers.");

    // Skip the first 2 bytes and strip the leading zeros
    char* left = const_cast<char*>(lhs) + 2; lhsLen -= 2;
    for(; lhsLen > 1 && *left == '0'; ++left, --lhsLen);

    char* right = const_cast<char*>(rhs) + 2; rhsLen -= 2;
    for(; rhsLen > 1 && *right == '0'; ++right, --rhsLen);

    //max length we'll set to more than the 20 bytes allowed by PKIX
    if (lhsLen > 60 || rhsLen > 60)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER, COMMON_INVALID_INPUT, "CRL number passed to _CompareCRLNumbers too big.");

    unsigned char rhsBin[30], lhsBin[30];
    // GIB: this is OK because we just checked these above and no platform
    // has max_int anything like 60.
    // However, on some platforms &size_t won't work the same as &unsigned int!
    unsigned int irhsLen = (unsigned int)rhsLen, ilhsLen = (unsigned int)lhsLen;
    atob((char*)rhsBin, right, &irhsLen);
    atob((char*)lhsBin, left, &ilhsLen);

    // be sure to use irhsLen and ilhsLen from here forward
        if (ilhsLen < irhsLen)
        return 1;
    else if(ilhsLen > irhsLen)
        return -1;

    // Compare the two numbers byte by byte
    for (unsigned int ii = 0; ii < ilhsLen; ++ii)
    {
        if(lhsBin[ii] > rhsBin[ii])
            return -1;
        if(lhsBin[ii] < rhsBin[ii])
            return 1;
    }

    //if we get here then the two values matched in all bytes
    return 0;
}

//5-c) Validate delta scope
bool _ValidateDeltaScope(
    const CPKIFCertificatePtr& targetCert, 
    const CPKIFCRLPtr& crl, 
    CPKIFX509CRLChecker::CRLSCOPE scope,
    CPKIFCRLList& crlList, 
    CPKIFCRLList& quarantinedDeltas, 
    AssociatedCRLsList& acl)
{
    LOG_STRING_DEBUG("_ValidateDeltaScope", TOOLKIT_PATH_MISC, 0, NULL);

    //if we ain't dealing with a delta - return now
    if(CPKIFX509CRLChecker::CS_DELTA != scope && CPKIFX509CRLChecker::CS_DELTA_DP != scope)
    {
        //create an entry in the associated CRL list then return true
        AssociatedCRLsPtr ac(new AssociatedCRLs);
        ac->m_base = crl;
        acl.push_back(ac);

        return true;
    }

    CPKIFNamePtr crlIssuer = crl->Issuer();

    //make sure we have a base CRL for this delta - if not quarantine the delta
    CPKIFDeltaCRLIndicatorPtr deltaIndicatorExt = crl->GetExtension<CPKIFDeltaCRLIndicator>();
    const char* baseNumber = deltaIndicatorExt->BaseCRLNumber();

    CPKIFCRLStreamIdentifierPtr crlStreamIdentifierExt = crl->GetExtension<CPKIFCRLStreamIdentifier>();
    bool crlStreamIdentifierSet = false;
    const char* crlStreamIdentifier = 0;
    if(crlStreamIdentifierExt != (CPKIFCRLStreamIdentifier*)NULL)
    {
        crlStreamIdentifier = crlStreamIdentifierExt->CRLStreamIdentifier();
        crlStreamIdentifierSet = true;
    }

    //grab IDP and AKID extensions (if present)
    CPKIFAuthorityKeyIdentifierPtr akid = crl->GetExtension<CPKIFAuthorityKeyIdentifier>();
    CPKIFIssuingDistributionPointPtr idp = crl->GetExtension<CPKIFIssuingDistributionPoint>();

    bool foundMatch = false;

    AssociatedCRLsList::iterator aclPos;
    AssociatedCRLsList::iterator aclEnd = acl.end();
    for(aclPos = acl.begin(); aclPos != aclEnd; ++aclPos)
    {
        CPKIFCRLPtr tmpCRL = (*aclPos)->m_base;

        //don't compare to current crl
        if(crl == tmpCRL)
            continue;

        //see if issuers match - if not move on
        CPKIFNamePtr tmpCRLIssuer = tmpCRL->Issuer();
        if(tmpCRLIssuer != (CPKIFCRL*)NULL && !(*crlIssuer == *tmpCRLIssuer))
            continue;

        //if crlStream was set in the delta check it here - if not don't bother
        if(crlStreamIdentifierSet)
        {
            CPKIFCRLStreamIdentifierPtr tmpCRLStreamIdentifierExt = tmpCRL->GetExtension<CPKIFCRLStreamIdentifier>();
            if(tmpCRLStreamIdentifierExt != (CPKIFCRLStreamIdentifier*)NULL &&
                *crlStreamIdentifier != *tmpCRLStreamIdentifierExt->CRLStreamIdentifier())
                continue;//if streams do not match - move on
        }

        CPKIFCRLNumberPtr crlNumber = tmpCRL->GetExtension<CPKIFCRLNumber>();
        if(crlNumber != (CPKIFCRLNumber*)NULL && _CompareCRLNumbers(baseNumber, crlNumber->CRLNumber()) < 0)
            continue; //if delta applies to a later base - move on

        //compare AKIDs
        if(akid != (CPKIFAuthorityKeyIdentifier*)NULL)
        {
            CPKIFAuthorityKeyIdentifierPtr tmpAKID = tmpCRL->GetExtension<CPKIFAuthorityKeyIdentifier>();
            if(tmpAKID != (CPKIFAuthorityKeyIdentifier*)NULL && !(*akid == *tmpAKID))
                continue; //if AKIDs do not match - keep going (PKIX rule)
        }

        //compare IDPs
        CPKIFIssuingDistributionPointPtr tmpIDP = tmpCRL->GetExtension<CPKIFIssuingDistributionPoint>();
        if(idp == (CPKIFIssuingDistributionPoint*)NULL)
        {
            if(tmpIDP != (CPKIFIssuingDistributionPoint*)NULL)
                continue; //if crl IDP is NULL then cur IDP must be NULL too (PKIX rule)
        }
        else if(tmpIDP == (CPKIFIssuingDistributionPoint*)NULL)
            continue; //crl IDP is non-NULL but tmp IDP is NULL
        else if(!(*idp == *tmpIDP))
            continue; //idps do not match (PKIX rule)

        //if all of the above checks passed - then set foundMatch to true
        foundMatch = true;

        (*aclPos)->m_deltas.push_back(crl);
    }

    if(!foundMatch)
    {
        //add it to quarantine - by returning false it will be removed from the crlList
        quarantinedDeltas.push_back(crl);
    }

    return foundMatch;
}

//5-a) Process critical CRL DP and/or freshestCRL
bool ProcessCriticalCertExtensions(
    const CPKIFCertificatePtr& targetCert, 
    CPKIFCRLList& crlList)
{
    LOG_STRING_DEBUG("ProcessCriticalCertExtensions", TOOLKIT_PATH_MISC, 0, NULL);

    //declare two lists of DPs (one from freshestCRL and the other from CRLDP)
    CPKIFCRLDistributionPointListPtr dpsFromFresh; 
    CPKIFCRLDistributionPointListPtr dpsFromCRLDP; 

    //declare a bool for each extension indicating that processing is done
    bool foundFreshMatch = true, foundCRLDPMatch = true;

    CPKIFFreshestCRLPtr fresh = targetCert->GetExtension<CPKIFFreshestCRL>();
    if(fresh != (CPKIFFreshestCRL*)NULL && fresh->isCritical())
    {
        dpsFromFresh = fresh->DPs();
        foundFreshMatch = false;
    }

    CPKIFCRLDistributionPointsPtr crlDP = targetCert->GetExtension<CPKIFCRLDistributionPoints>();
    if(crlDP != (CPKIFCRLDistributionPoints*)NULL && crlDP->isCritical())
    {
        dpsFromCRLDP = crlDP->DPs();
        foundCRLDPMatch = false;
    }

    CPKIFCRLDistributionPointPtr activeCRLDP;

    CPKIFCRLList::iterator pos;
    CPKIFCRLList::iterator end = crlList.end();
    for(pos = crlList.begin(); pos != end; ++pos)
    {
        const CPKIFCRLTypePtr crlType = _TypeOfCRL(*pos);
        const CPKIFX509CRLChecker::CRLSCOPE scope = crlType->GetCRLScope();
        const CPKIFX509CRLChecker::CRLREASONS reasons = crlType->GetCRLReasons();

        //added scope check to following conditions 04/28/03 CRW

        //if we haven't already found a match - try to validate current crl against dps
        if(!foundFreshMatch && CPKIFX509CRLChecker::CS_COMPLETE != scope && _ValidateDP2(dpsFromFresh, *pos, scope, activeCRLDP, reasons))
            foundFreshMatch = true; //when we find a match set flag so we stop looking

        //if we haven't already found a match - try to validate current crl against dps
        if(!foundCRLDPMatch && CPKIFX509CRLChecker::CS_COMPLETE != scope && _ValidateDP2(dpsFromCRLDP, *pos, scope, activeCRLDP, reasons))
            foundCRLDPMatch = true;//when we find a match set flag so we stop looking
    }

    return foundCRLDPMatch && foundFreshMatch;
}


class ReasonCodeCheck
{
public:
    bool operator()(const CPKIFCRLPtr& lhs);
    void SetTargetCert(const CPKIFCertificatePtr& target);
    void SetReasonCodesOfInterest(CPKIFReasonFlagsPtr& flags);
private:
    CPKIFCertificatePtr m_targetCert;
    bool m_bTargetIsCA;
    CPKIFReasonFlagsPtr m_rf;
};

void ReasonCodeCheck::SetReasonCodesOfInterest(CPKIFReasonFlagsPtr& flags)
{
    m_rf = flags;
}
void ReasonCodeCheck::SetTargetCert(const CPKIFCertificatePtr& target)
{
    m_targetCert = target;

    if(m_targetCert != (CPKIFCertificatePtr*)NULL)
    {
        //determine if the certificate is a CA cert or an EE cert
        CPKIFBasicConstraintsPtr bc = m_targetCert->GetExtension<CPKIFBasicConstraints>();
        if(bc != (CPKIFBasicConstraints*)NULL)
            m_bTargetIsCA = bc->isCA();
    }
    else
        m_bTargetIsCA = false;
}
bool ReasonCodeCheck::operator()(
    const CPKIFCRLPtr& lhs)
{
    CPKIFIssuingDistributionPointPtr idp = lhs->GetExtension<CPKIFIssuingDistributionPoint>();
    if(idp != (CPKIFIssuingDistributionPoint*)NULL)
    {
        if(idp->OnlyContainsAttributeCerts())
            return true;

        CPKIFReasonFlagsPtr idpRF = idp->GetReasons();
        if(idpRF != (CPKIFReasonFlags*)NULL && m_rf != (CPKIFReasonFlags*)NULL)
        {
            if(m_bTargetIsCA && idp->OnlyContainsUserCerts())
                return true;
            if(!m_bTargetIsCA && idp->OnlyContainsAuthorityCerts())
                return true;

            if(idpRF->GetCACompromise() && m_rf->GetCACompromise())
                return false;
            else if(idpRF->GetKeyCompromise() && m_rf->GetKeyCompromise())
                return false;
            else if(idpRF->GetAACompromise() && m_rf->GetAACompromise())
                return false;
            else if(idpRF->GetPrivilegeWithdrawn() && m_rf->GetPrivilegeWithdrawn())
                return false;
            else if(idpRF->GetCertificateHold() && m_rf->GetCertificateHold())
                return false;
            else if(idpRF->GetCessationOfOperation() && m_rf->GetCessationOfOperation())
                return false;
            else if(idpRF->GetSuperseded() && m_rf->GetSuperseded())
                return true;
            else if(idpRF->GetAffiliationChanged() && m_rf->GetAffiliationChanged())
                return false;
            else if(idpRF->GetUnused() && m_rf->GetUnused())
                return false;
            else
                return true;
        }
    }

    return false;
}

//5-b) Process reason codes of interest
bool _ProcessReasonCodesOfInterest(
    const CPKIFCertificatePtr& targetCert, 
    CPKIFCRLList& crlList, 
    CPKIFReasonFlagsPtr reasons)
{
    ReasonCodeCheck rcc;
    rcc.SetTargetCert(targetCert);
    rcc.SetReasonCodesOfInterest(reasons);

    CPKIFCRLList::iterator newEnd = remove_if(crlList.begin(), crlList.end(), rcc);
    crlList.erase(newEnd, crlList.end());

    //iterate over all CRLs and make sure we cover the full set of reasons
    CPKIFReasonFlags controlRF;

    CPKIFCRLList::iterator pos;
    CPKIFCRLList::iterator end = crlList.end();
    for(pos = crlList.begin(); pos != end; ++pos)
    {
        CPKIFIssuingDistributionPointPtr idp = (*pos)->GetExtension<CPKIFIssuingDistributionPoint>();
        if(idp != (CPKIFIssuingDistributionPoint*)NULL)
        {
            CPKIFReasonFlagsPtr idpRF = idp->GetReasons();
            if(idpRF != (CPKIFReasonFlags*)NULL)
            {
                if(     idpRF->GetCACompromise())
                    controlRF.SetCACompromise();
                if(idpRF->GetKeyCompromise())
                    controlRF.SetKeyCompromise();
                if(idpRF->GetAACompromise())
                    controlRF.SetAACompromise();
                if(idpRF->GetPrivilegeWithdrawn())
                    controlRF.SetPrivilegeWithdrawn();
                if(idpRF->GetCertificateHold())
                    controlRF.SetCertificateHold();
                if(idpRF->GetCessationOfOperation())
                    controlRF.SetCessationOfOperation();
                if(idpRF->GetSuperseded())
                    controlRF.SetSuperseded();
                if(idpRF->GetAffiliationChanged())
                    controlRF.SetAffiliationChanged();
                if(idpRF->GetUnused())
                    controlRF.SetUnused();
            }
            else
                return true; // reason flags, thus all reasons present
        }
        else
            return true; //no IDP, thus all reasons present
    }

    //if we get here, then we may not have everything we need
    if(!controlRF.GetUnused() ||
        !controlRF.GetAffiliationChanged() ||
        !controlRF.GetSuperseded() ||
        !controlRF.GetCessationOfOperation() ||
        !controlRF.GetPrivilegeWithdrawn() ||
        !controlRF.GetAACompromise() ||
        !controlRF.GetKeyCompromise() ||
        !controlRF.GetCACompromise() ||
        !controlRF.GetUnused())
        return false;

    return !crlList.empty();
}
class DPCompare
{
public:

    bool operator()(CPKIFCRLDistributionPointPtr& rhsDP)
    {
        if(m_lhsName != (CPKIFDistributionPointName*)NULL)
        {
            CPKIFDistributionPointNamePtr rhsName = rhsDP->DistributionPoint();
            if(rhsName != (CPKIFDistributionPointName*)NULL)
                return *m_lhsName == *rhsName;
        }

        return false;
    }
    void SetIDPName(const CPKIFIssuingDistributionPointPtr& lhsName) {m_idp = lhsName; m_lhsName = lhsName->DistributionPoint();}
private:
    CPKIFIssuingDistributionPointPtr m_idp;
    CPKIFDistributionPointNamePtr m_lhsName;
};

template <class T>
class NottaMatch
{
public:
    bool operator()(const T& t);

    void SetRHS(const T& rhs) {m_rhs = rhs;}
private:
    T m_rhs;
};

template <class T>
bool NottaMatch<T>::operator()(const T& t)
{
    return !(*t == *m_rhs);     
}

//5-d) Discard extraneous CRLs
void _QuarantineExtraneousCRLs(
    const CPKIFCertificatePtr& targetCert, 
    CPKIFCRLList& crlList, 
    CPKIFCRLList& quarantinedCRLs)
{
    LOG_STRING_DEBUG("_QuarantineExtraneousCRLs", TOOLKIT_PATH_MISC, 0, NULL);

    //sift through the mess and sort out the "best" CRLs - quarantine the left-overs
    
    //----------------------------------------------------------------------------------------------------
    //new code to favor IDP matches and to quarantine additional CRLs where
    //an IDP match exists - added 7/21/2005 CRW

    CPKIFCRLDistributionPointsPtr crlDPs = targetCert->GetExtension<CPKIFCRLDistributionPoints>();

    CPKIFCRLPtr match;
    if(crlDPs != (CPKIFCRLDistributionPoints*)NULL)
    {
        CPKIFCRLDistributionPointListPtr dps = crlDPs->DPs();

        CPKIFCRLList::iterator pos;
        CPKIFCRLList::iterator end = crlList.end();
        for(pos = crlList.begin(); pos != end; ++pos)
        {
            CPKIFIssuingDistributionPointPtr idp = (*pos)->GetExtension<CPKIFIssuingDistributionPoint>();
            if(idp != (CPKIFIssuingDistributionPoint*)NULL)
            {
                DPCompare _dpCompare;
                _dpCompare.SetIDPName(idp);
                if(dps->end() != find_if(dps->begin(), dps->end(), _dpCompare))
                {
                    match = *pos;
                    break;
                }
            }
        }
    }

    if(match != (CPKIFCRL*)NULL)
    {
        NottaMatch<CPKIFCRLPtr> nm;
        nm.SetRHS(match);
        CPKIFCRLList::iterator newEnd = remove_if(crlList.begin(), crlList.end(), nm);
        copy(newEnd, crlList.end(), back_inserter(quarantinedCRLs));
        crlList.erase(newEnd, crlList.end());
    }   

    //----------------------------------------------------------------------------------------------------
}

//----------------------------------------------------------------------------------------------------
//
//  utility functions
//
//----------------------------------------------------------------------------------------------------

bool _GetHashOfToBeSignedCRL2(
    const CPKIFCRLPtr& crl,
    IPKIFCryptoMisc* cryptoMisc, 
    PKIFCRYPTO::HASH_ALG hashAlg, //input, input, input
    unsigned char* hashResult, 
    int* hashResultLen)
{
    LOG_STRING_DEBUG("_GetHashOfToBeSignedCRL2", TOOLKIT_PATH_MISC, 0, NULL);

    int stat = ASN_OK;
    int reqcnt = 0;

    if(crl == (CPKIFCRL*)NULL || NULL == cryptoMisc || NULL == hashResult)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER,COMMON_INVALID_INPUT,"Invalid input passed to CRL hash calculation function");

    //get a pointer to the encoded CRL and the length of the encoded CRL
    CPKIFBufferPtr crlBuf = crl->Encoded();
    int length = crlBuf->GetLength();

    if(0 == length)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER,COMMON_INVALID_INPUT,"Empty CRL passed to CRL hash calculation function");

    //prepare an OOCTXT object with the CRL buffer and length
    OOCTXT ctxt;
    initContext (&ctxt);
    setBERDecBufPtr(&ctxt, crlBuf->GetBuffer(), length, NULL, NULL);
    OOCTXT* pctxt = &ctxt;

    //parse the first sequence (SIGNED macro)
    stat = matchTag (pctxt, TM_UNIV|TM_CONS|16, &length, XM_ADVANCE);
    if (stat != ASN_OK)
    {
        freeEncodeBuffer(&ctxt);
        memFreeAll(&ctxt);
        return false;
    }

    //save the offset
    size_t byteIndex = ctxt.buffer.byteIndex;

    //parse the next sequence to get the length
    stat = matchTag (pctxt, TM_UNIV|TM_CONS|16, &length, XM_ADVANCE);
    if (stat != ASN_OK)
    {
        freeEncodeBuffer(&ctxt);
        memFreeAll(&ctxt);
        return false;
    }

    //set the pointer to the offset collected above and the length to the length
    //returned by the second parse operation plus the offset difference.  this is the
    //to be signed CRL to pass to the hash function below.
    unsigned char* p = (unsigned char*)ctxt.buffer.data + byteIndex; 
    size_t tmpST = ctxt.buffer.byteIndex - byteIndex;
    unsigned int tmpUI = 0;

    try {
        tmpUI = numeric_cast<unsigned int>(tmpST);
    }catch(bad_numeric_cast &) {
        throw CPKIFException(TOOLKIT_PATH, COMMON_INVALID_INPUT, "Byte offset difference too large.");
    }

    length += (tmpUI);

    IPKIFHashContext* hash = NULL;
    try
    {
        //create a hash object, pass the buffer and length we calculated and obtain the result
        hash = cryptoMisc->HashInit(hashAlg);
        cryptoMisc->HashUpdate(hash, p, length);
        cryptoMisc->HashFinal(hash, (unsigned char*)hashResult, hashResultLen);
    }
    catch(CPKIFException& e)
    {
        if(NULL != hash)
            delete hash;

        //clean up the context
        freeEncodeBuffer(&ctxt);
        memFreeAll(&ctxt);

        throw e;
    }

    //clean up the hash
    delete hash; 

    //clean up the context
    freeEncodeBuffer(&ctxt);
    memFreeAll(&ctxt);

    return true;
}
bool _GetCRLIssuersCert(
    CPKIFCRLPtr& crl,
    IPKIFNameAndKey* targetCertIssuersCertNK, 
    const CPKIFCertificatePtr& targetCertIssuersCert,
    CPKIFCertificateList& crlIssuerCerts,
    //[out] PKIInfoSource value indicating the type of location from which the associated certificate object was retrieved
    PKIInfoSource source, 
    IPKIFColleague* c,
    const CPKIFX509CRLChecker::CRLAUTHORITY authority, 
    CPKIFPathSettingsPtr& settings)
{
    LOG_STRING_DEBUG("_GetCRLIssuersCert", TOOLKIT_PATH_MISC, 0, NULL);

    crlIssuerCerts.clear();
    CPKIFNamePtr crlIssuerName = crl->Issuer();

    #ifdef _DEBUG
        const char* crlIssuerNameString = crlIssuerName->ToString();
        const char* targetCertIssuersCertNKString = targetCertIssuersCertNK->GetSubjectName()->ToString();
    #endif

    //added this check 7/18
    bool issuedByCertIssuer = false;
    if(*crlIssuerName == *targetCertIssuersCertNK->GetSubjectName())
        issuedByCertIssuer = true;

    if(REMOTE != source)
    {
        //if the source is not REMOTE then check the targetCertIssuersCert and...
        if(*crlIssuerName == *targetCertIssuersCertNK->GetSubjectName() && targetCertIssuersCert != (CPKIFCertificate*)NULL)
            crlIssuerCerts.push_back(targetCertIssuersCert);

        //altered direct/indirect conditions here and below 7/18
        //  - to permit discovery of direct issuer with different key 
        //check the trust root store (if available and CRL is indirect)
        IPKIFTrustCache* tc = c->GetMediatorFromParent<IPKIFTrustCache>();
        if(tc && (issuedByCertIssuer || CPKIFX509CRLChecker::CA_INDIRECT == authority))
        {
            IPKIFTrustAnchorList rootList;
            tc->GetTrustRoots(crlIssuerName, rootList);

            IPKIFTrustAnchorList::iterator pos;
            IPKIFTrustAnchorList::iterator end = rootList.end();
            for(pos = rootList.begin(); pos != end; ++pos)
            {
                CPKIFCertificatePtr rootCert = (*pos)->GetCertificate();
                if(rootCert)
                {
                    crlIssuerCerts.push_back(rootCert);
                }
            }
        }
    }

    //check cert repository (if available and CRL is indirect)
    IPKIFCertRepository* cr = c->GetMediatorFromParent<IPKIFCertRepository>();
    if(c && (issuedByCertIssuer || CPKIFX509CRLChecker::CA_INDIRECT == authority))
    {
        cr->GetCertificates(crlIssuerName, crlIssuerCerts, source);
    }

    //----------------------------------------------------------------------------------------------------
    //added 7/21/2005 to sort CRL issuers to avoid chasing certs with 
    //incorrect public key if possible
    CPKIFAuthorityKeyIdentifierPtr akid = crl->GetExtension<CPKIFAuthorityKeyIdentifier>();

    CPKIFCertificateNodeListWithSourceInfo nodeList;
    CPKIFCertificateList::iterator pos;
    CPKIFCertificateList::iterator end = crlIssuerCerts.end();
    for(pos = crlIssuerCerts.begin(); pos != end; ++pos)
    {
        CPKIFCertificateNodeEntryPtr entry(new CPKIFCertificateNodeEntry);
        entry->SetCert(*pos);
        nodeList.push_back(entry);
    }

    IPKIFTrustAnchorList rootList;
    CPKIFCertificateList certList;

    //score each node entry
    CPKIFCertificateNodeListWithSourceInfo::iterator nodeListPos;
    CPKIFCertificateNodeListWithSourceInfo::iterator nodeListEnd = nodeList.end();      

    CPKIFNamePtr targetIssuer = targetCertIssuersCertNK->GetSubjectName();
    CPKIFPolicyInformationListPtr initPolSet;
    settings->GetInitialPolicySet(initPolSet);

    for(nodeListPos = nodeList.begin(); nodeListPos != nodeListEnd; ++nodeListPos)
    {
        (*nodeListPos)->ClearScore();
        CPKIFCertificatePtr curCert = (*nodeListPos)->GetCert();
        CPKIFNamePtr curIssuer = curCert->Issuer();

        if(*curIssuer == *targetIssuer)
            (*nodeListPos)->AddToScore(200);

        IPKIFNameAndKey* curCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*curCert));
        if(curCertNK && *curCertNK == *targetCertIssuersCertNK)
            (*nodeListPos)->AddToScore(200);

        if(!CertIsSelfIssued(curCert))
        {
            (*nodeListPos)->AddToScore(100);
        }

        CPKIFPolicyInformationSetPtr cpsFromCert = curCert->GetExtension<CPKIFPolicyInformationSet>();
        if(cpsFromCert != (CPKIFPolicyInformationSet*)NULL)
        {
            //give points for simply having a policy
            (*nodeListPos)->AddToScore(50);

            CPKIFPolicyMappingsPtr policyMappings;
            if(SomeMatch(cpsFromCert, initPolSet, policyMappings))
                (*nodeListPos)->AddToScore(50);
        }

        //check AKID/SKID chaining
        if(akid != (CPKIFAuthorityKeyIdentifier*)NULL)
        {
            if(KeyIDsMatch(akid, curCert))
            {
                (*nodeListPos)->AddToScore(800);
            }
            else
            {
                (*nodeListPos)->ClearScore();
            }
        }
        
        //if(!curCert->IsSelfSigned())
        //{
        //  (*nodeListPos)->AddToScore(100);
        //}
    }

    //reorder the list based on the scoring
    sort(nodeList.begin(), nodeList.end(), scoreCompare);

    crlIssuerCerts.clear();
    nodeListEnd = nodeList.end();       
    for(nodeListPos = nodeList.begin(); nodeListPos != nodeListEnd; ++nodeListPos)
    {
        crlIssuerCerts.push_back((*nodeListPos)->GetCert());
    }   
    //----------------------------------------------------------------------------------------------------

    return !crlIssuerCerts.empty();
}

//----------------------------------------------------------------------------------------------------
//
//  PRIVATE MEMBER FUNCTIONS
//
//----------------------------------------------------------------------------------------------------

//modified 12/4/2003
class ScopeCompare
{
public:
    bool operator()(const CPKIFCRLPtr& lhsCRL, const CPKIFCRLPtr& rhsCRL)
    {
        LOG_STRING_DEBUG("_scopeCompare(CPKIFCRLPtr& lhsCRL, CPKIFCRLPtr& rhsCRL)", TOOLKIT_PATH_MISC, 0, NULL);

        int lhsScore = 0, rhsScore = 0;

        CPKIFCRLTypePtr tmpLHS = _TypeOfCRL(lhsCRL);
        const CPKIFCRLTypePtr crlTypeLHS = tmpLHS;

        CPKIFCRLTypePtr tmpRHS = _TypeOfCRL(rhsCRL);
        const CPKIFCRLTypePtr crlTypeRHS = tmpRHS;

        // const CPKIFCRLTypePtr crlTypeLHS = _TypeOfCRL(lhsCRL);
                // const CPKIFCRLTypePtr crlTypeRHS = _TypeOfCRL(rhsCRL);

        //we want complete CRLs at the front - hence less than compare operation
        if(crlTypeLHS->GetCRLScope() > crlTypeRHS->GetCRLScope())
            rhsScore+=5;
        else if(crlTypeLHS->GetCRLScope() < crlTypeRHS->GetCRLScope())
            lhsScore+=5;

        if(m_issuer == (CPKIFCertificate*)NULL)
            return lhsScore > rhsScore;

        CPKIFAuthorityKeyIdentifierPtr lhsAKID = lhsCRL->GetExtension<CPKIFAuthorityKeyIdentifier>();
        CPKIFAuthorityKeyIdentifierPtr rhsAKID = rhsCRL->GetExtension<CPKIFAuthorityKeyIdentifier>();
        CPKIFSubjectKeyIdentifierPtr issSKID = m_issuer->GetExtension<CPKIFSubjectKeyIdentifier>();
        CPKIFAuthorityKeyIdentifierPtr akids[2] = {lhsAKID, rhsAKID};
        int* scores[2] = {&lhsScore, &rhsScore};
        
        for(int ii = 0; ii < 2; ++ii)
        {
            if(akids[ii] != (CPKIFAuthorityKeyIdentifier*)NULL)
            {
                if(akids[ii]->KeyIDPresent())
                {
                    if(issSKID != (CPKIFSubjectKeyIdentifier*)NULL)
                    {
                        CPKIFBufferPtr akidKeyID = akids[ii]->KeyIdentifier();
                        CPKIFBufferPtr skidKeyID = issSKID->KeyIdentifier();
                        if(akidKeyID != (CPKIFBuffer*)NULL && skidKeyID != (CPKIFBuffer*)NULL)
                        {
                            if(*akidKeyID == *skidKeyID)
                                *scores[ii]+=10;
                            else
                                *scores[ii]-=10;
                        }
                    }
                }
                else if(akids[ii]->IssDNAndSerialNumberPresent() && m_issuer != (CPKIFCertificate*)NULL)
                {
                    const char* lhsSN = akids[ii]->SerialNumber();
                    const char* rhsSN = m_issuer->SerialNumber();
                    //reviewed 4/24 - added strlen check
                    if(strlen(lhsSN) != strlen(rhsSN) || 0 != stricmp(lhsSN, rhsSN))
                        *scores[ii]-=10;
                    else
                    {
                        CPKIFGeneralNameList gns;
                        akids[ii]->Issuer(gns);

                        CPKIFGeneralNameList::iterator gnPos;
                        CPKIFGeneralNameList::iterator gnEnd = gns.end();
                        
                        //spin through them all and if we find a match - good
                        //if not - big deal - this is just for scoring
                        //not going to bother comparing curCert issAltNames for this purpose
                        for(gnPos = gns.begin(); gnPos != gnEnd; ++gnPos)
                        {
                            if(CPKIFGeneralName::DIRECTORYNAME == (*gnPos)->GetType())
                            {
                                if(*(*gnPos)->directoryName() == *m_issuer->Issuer())
                                    scores[ii]+=10;
                            }
                        }
                    }
                }
            }
        }

        return lhsScore > rhsScore;
    }
    void SetIssuer(
        const CPKIFCertificatePtr& issuer) {m_issuer = issuer;}
private:
    CPKIFCertificatePtr m_issuer;
};

//bool _scopeCompare(CPKIFCRLPtr& lhsCRL, CPKIFCRLPtr& rhsCRL)
//{
//  LOG_STRING_DEBUG("_scopeCompare(CPKIFCRLPtr& lhsCRL, CPKIFCRLPtr& rhsCRL)", TOOLKIT_PATH_MISC, 0, NULL);
//
//  const CPKIFCRLTypePtr crlTypeLHS = _TypeOfCRL(lhsCRL);
//  const CPKIFCRLTypePtr crlTypeRHS = _TypeOfCRL(rhsCRL);
//
//  //we want complete CRLs at the front - hence less than compare operation
//  return crlTypeLHS->GetCRLScope() < crlTypeRHS->GetCRLScope();
//}


//status check function that is invoked by both CheckStatus and CheckStatusPath from the public interface
bool CPKIFX509CRLCheckerImpl::CheckStatusInternal(
    const CPKIFCertificatePtr& targetCert, 
    IPKIFNameAndKey* issuersCertNK, 
    const CPKIFCertificatePtr& issuersCert,
    RevocationStatus& status, 
    CPKIFCertStatusPtr& certStatus, 
    bool validatePathToDirectCRLs,
    CPKIFPathSettingsPtr& settings,
    IPKIFTrustAnchorPtr& rootFromPath)
{
    LOG_STRING_DEBUG("CPKIFX509CRLCheckerImpl::CheckStatusInternal", TOOLKIT_PATH_MISC, 0, this);

    //This function takes the following params:
    //  - target cert (the cert for which revocation status is sought)  : IN
    //  - issuer's cert (the certificate of the issuer of the target cert) : IN
    //  - revocation status (low water mark for revocation status) : OUT
    //  - certificate status (in which crl and crl entry info may be optionally stored) : IN/OUT

    //added 11/12/2003
    if(certStatus == (CPKIFCertStatus*)NULL)
    {
        CPKIFCertStatusPtr newCS(new CPKIFCertStatus);
        certStatus = newCS;
    }


    //initialize the outbound revocation status indicator to NOT_CHECKED
    status = NOT_CHECKED;

    //create a CRL info object to receive CRL and CRL entry info for inclusion in outbound cert status object
    CPKIFCRLInfoPtr crlInfo(new CPKIFCRLInfo);

    //declare a list to hold the retrieved CRLs and an initial source indicator
    CPKIFCRLList crlList, quarantinedCRLs;
    PKIInfoSource source = LOCAL;

    //1) Classify the target certificate as one of the 10 types
    const CPKIFX509CRLChecker::CERTTYPES certType = _ClassifyCert(targetCert);
    
    //2) Determine the CRLs to obtain
    //  a) Identify the CRL types that apply (i.e. consult a static table w/ CRLCOVERAGEs for each cert type)
    //  b) Identify locations from which to retrieve CRLs (i.e. issuer directory entry vs. CRLDP/freshestCRL)
    //This is performed by the cache colleagues.  Some colleagues may not maintain info on the source of a CRL
    //and may return more than we need, in which case we'll prune the list in step 4.

    //if a freshest CRL extension was present set the source to REMOTE
    CPKIFFreshestCRLPtr fresh = targetCert->GetExtension<CPKIFFreshestCRL>();
    if(fresh != (CPKIFFreshestCRL*)NULL)
        source = ALL;//go ahead and turn on REMOTE searching but also leave on LOCAL

    ScopeCompare _scopeCompare;
    _scopeCompare.SetIssuer(issuersCert);

    AssociatedCRLsList acl;
    do
    {
        //3) Obtain CRL(s) - fail if no CRLs can be obtained 
        ObtainCRLs(targetCert, source, crlList, settings);

        //move any CRLs from quarantine to active list then clear the quarantine
        copy(quarantinedCRLs.begin(), quarantinedCRLs.end(), back_inserter(crlList));
        quarantinedCRLs.clear();

        //order the CRLs in crlList such that deltas are at the rear
        sort(crlList.begin(), crlList.end(), _scopeCompare);

        CPKIFCRLList::iterator cur;  
        CPKIFCRLList::iterator end = crlList.end();  
        //clear the associated CRL list - it will be (re)populated by the call to DetermineCompatibilityAndValidity below
        acl.clear();

        //4) For each CRL, determine CRL and cert compatibility (type compatibility, dp compatibility,
        //   crl issuer compatibility and reason code compatibility (wrt to crl dp reasons).
        //5) For each CRL, determine CRL validity (i.e. check currency, verify signature,
        //   validate delta scope and process remaining CRL extensions)
        DetermineCompatibilityAndValidity(targetCert, issuersCertNK, issuersCert, crlList, validatePathToDirectCRLs, 
                                            quarantinedCRLs, settings, acl, rootFromPath);

        //6) Determine if all necessary CRLs were obtained
        if(DoWeHaveEverythingWeNeed(targetCert, crlList, quarantinedCRLs))
        {
            //7) For each CRL, check cert status
            try
            {
                SeeIfCertHasBeenRevoked(targetCert, acl, status, certStatus, crlInfo);

                //prepare bools to bail out since we have made our final determination
                return true;
            }
            catch(CPKIFException&)
            {
                //added this 4/7/2004
                //only get here if there's a critical CRLEntry extension
            }
        }
        else
        {
            //if we do not have all of the crls we need then check additional sources (if possible) or
            //terminate the loop 
            if(LOCAL == source)
            {
                LOG_STRING_INFO("Failed to find necessary CRL(s) using LOCAL sources.  Checking REMOTE sources.", m_parent->thisComponent, 0, this);
                source = REMOTE;
            }
            else
            {
                if(certStatus->GetRevocationStatus() == NOT_CHECKED)
                    certStatus->SetDiagnosticCode(PATH_CERT_REVOCATION_STATUS_NOT_DETERMINED);
                return false;
            }
        }
    }while(1);
    //Loop terminiation is assured as the source is guaranteed to not be LOCAL on the second loop.  The 
    //loop executes a MAX of two times.
}

//1) performed in CheckStatusInternal (simple call to _ClassifyCert)
//2) handled by cache colleagues
//3)
void CPKIFX509CRLCheckerImpl::ObtainCRLs(
    const CPKIFCertificatePtr& targetCert, 
    PKIInfoSource& source, 
    CPKIFCRLList& crlList,
    CPKIFPathSettingsPtr& settings)
{
    LOG_STRING_DEBUG("CPKIFX509CRLCheckerImpl::ObtainCRLs", TOOLKIT_PATH_MISC, 0, this);

    //get required interface pointer
    IPKIFCRLRepository* crlCache = m_parent->GetMediatorFromParent<IPKIFCRLRepository>();
    if(NULL == crlCache)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER,COMMON_MEDIATOR_MISSING,"IPKIFCRLRepository interface was not available.");

    //get optional interface pointer
    IPKIFCRLRepositoryUpdate* crlCacheUpdate = m_parent->GetMediatorFromParent<IPKIFCRLRepositoryUpdate>();

    //testing with syn sources...
    //crlCache->GetCRLs(targetCert, crlList, source);

    CPKIFCRLNodeList crlNodeList;
    crlCache->GetCRLs(targetCert, crlNodeList, source,settings);

    CPKIFCRLNodeList::iterator pos;
    CPKIFCRLNodeList::iterator end = crlNodeList.end();
    for(pos = crlNodeList.begin(); pos != end; ++pos)
    {
        CPKIFCRLPtr crl = (*pos)->GetCRL();
        if(crl != (CPKIFCRL*)NULL)
        {
            crlList.push_back(crl);
        }       
    }

    CPKIFTimePtr valTime;
    if(settings)
        valTime = settings->GetValidationTime();

    if(valTime && settings->GetRequireValidationTimeNesting())
    {
        CRLCoversTimeOfInterest cctoi;
        cctoi.SetTimeOfInterest(valTime);
        CPKIFCRLList::iterator newEnd = remove_if(crlList.begin(), crlList.end(), cctoi);
        crlList.erase(newEnd, crlList.end());
    }

    
    if(NULL != crlCacheUpdate)
    {
        //iterate over the CRLs
        CPKIFCRLList::iterator pos;
        CPKIFCRLList::iterator end = crlList.end();
        for(pos = crlList.begin(); pos != end; ++pos)
        {
            try
            {
                CPKIFGeneralNamePtr dummy;
                crlCacheUpdate->AddCRL(*pos, dummy);//XXX-DEFER need means of knowing source of CRL to update cache
            }
            catch(CPKIFCacheException& e)
            {
                //EXCEPTION DELETION
                //don't throw simply because we have no in-memory cache or whatever
                if(COMMON_OPERATION_NOT_HANDLED == e.GetErrorCode())
                {
                    //delete e; 
                    break;
                }
                else
                    throw e;
            }
        }
    }
}

//4)
void CPKIFX509CRLCheckerImpl::DetermineCompatibilityAndValidity(
    const CPKIFCertificatePtr& targetCert,  
    IPKIFNameAndKey* issuersCertNK,
    const CPKIFCertificatePtr& issuersCert,
    CPKIFCRLList& crlList, 
    bool validatePathToDirectCRLs, 
    CPKIFCRLList& quarantinedCRLs, 
    CPKIFPathSettingsPtr& settings,
    AssociatedCRLsList& acl,
    IPKIFTrustAnchorPtr& rootFromPath)
{
//macro to remove the CRL from the list (erase returns next iterator position hence continue)
#undef DISCARD_CRL_AND_CONTINUE
#define DISCARD_CRL_AND_CONTINUE \
{ \
    pos = crlList.erase(pos);\
    end = crlList.end();\
    continue;\
}

    LOG_STRING_DEBUG("CPKIFX509CRLCheckerImpl::DetermineCompatibilityAndValidity", TOOLKIT_PATH_MISC, 0, this);

    //get CRL DP from the target cert, if present, then get DPs from the extension
    CPKIFCRLDistributionPointsPtr crlDP = targetCert->GetExtension<CPKIFCRLDistributionPoints>();
    CPKIFCRLDistributionPointListPtr dpsFromCRLDP;
    if(crlDP != (CPKIFCRLDistributionPoints*)NULL)
        dpsFromCRLDP = crlDP->DPs();

    bool requireFresh = false;
    
    if(settings != (CPKIFPathSettings*)NULL)
        requireFresh = settings->GetRequireFreshRevocationData();

    CPKIFCRLPtr bestNonDelta;

    //iterate over all CRLs and perform simple sanity checks, signature checks, etc.
    CPKIFCRLList::iterator pos;
    CPKIFCRLList::iterator end = crlList.end();
    for(pos = crlList.begin(); pos != end;)
    {
        #ifdef _DEBUG
            const char* curCRLIssuerString = (*pos)->Issuer()->ToString();
        #endif
        //If the CRL is a DP CRL then we need to validate the scope of the CRL with regard to
        //the target certificate.
        const CPKIFCRLTypePtr crlType = _TypeOfCRL(*pos);
        const CPKIFX509CRLChecker::CRLCOVERAGE coverage = crlType->GetCRLCoverage();
        const CPKIFX509CRLChecker::CRLSCOPE scope = crlType->GetCRLScope();
        const CPKIFX509CRLChecker::CRLAUTHORITY authority = crlType->GetCRLAuthority();
        const CPKIFX509CRLChecker::CERTTYPES certType = _ClassifyCert(targetCert);
        const CPKIFX509CRLChecker::CRLREASONS reasons = crlType->GetCRLReasons();

        std::vector<CPKIFX509ExtensionPtr> processedExts;
        CPKIFCRLDistributionPointPtr activeCRLDP;

        //4-a) confirm that the CRL type and cert type are compatible
        if(!g_CompatibleScope[certType][scope] || !g_CompatibleCoverage[certType][coverage])
        {
            DISCARD_CRL_AND_CONTINUE
        }

        //4-b) validate the CRL issuer name
        if(!_ValidateCRLIssuerName2(targetCert, dpsFromCRLDP, *pos, scope, activeCRLDP))
        {
            DISCARD_CRL_AND_CONTINUE
        }

        //4-c) Validate DP (sets activeCRLDP as necessary)
        if(!_ValidateDP2(dpsFromCRLDP, *pos, scope, activeCRLDP, reasons))
        {
            DISCARD_CRL_AND_CONTINUE
        }

        //4-d) Validate CRL authority
        if(!_ValidateCRLAuthority(targetCert, *pos, authority))
        {
            DISCARD_CRL_AND_CONTINUE
        }

        //5-d) Check for critical, unprocessed extensions (assume delta and IDP are processed)
        //We currently only handle 2 CRL extensions.  Grab pointers to each (if present) and push them
        //into the processedExts list.  They were each fully processed above (or below) if present.
        CPKIFDeltaCRLIndicatorPtr delta = (*pos)->GetExtension<CPKIFDeltaCRLIndicator>();
        if(delta != (CPKIFDeltaCRLIndicator*)NULL)
            processedExts.push_back(delta);

        CPKIFIssuingDistributionPointPtr idp = (*pos)->GetExtension<CPKIFIssuingDistributionPoint>();
        if(idp != (CPKIFIssuingDistributionPoint*)NULL)
            processedExts.push_back(idp);

        if((*pos)->AreThereAnyUnprocessedCriticalExtensions(processedExts))
        {
            DISCARD_CRL_AND_CONTINUE
        }

        //added 7/21/2005 CRW
        if(bestNonDelta != (CPKIFCRL*)NULL && 
            (CPKIFX509CRLChecker::CS_COMPLETE == scope ||
            CPKIFX509CRLChecker::CS_DP == scope) &&
            CPKIFX509CRLChecker::CR_SOMEREASONS != reasons)
        {
            CPKIFTimePtr curThis = (*pos)->ThisUpdate();
            CPKIFTimePtr prevThis = bestNonDelta->ThisUpdate();
            if(*prevThis >= *curThis)
            {
                DISCARD_CRL_AND_CONTINUE
            }
        }

        //5-a) Currency check
        //5-b) Signature check
        //added settings param 9/26/03
        if(!PerformCurrencyAndSignatureChecks(targetCert, issuersCertNK, issuersCert, *pos, authority, validatePathToDirectCRLs, processedExts, requireFresh, settings, rootFromPath))
        {
            DISCARD_CRL_AND_CONTINUE
        }

        //added 7/21/2005 CRW
        if(CPKIFX509CRLChecker::CS_COMPLETE == scope || 
            CPKIFX509CRLChecker::CS_DP == scope)
            bestNonDelta = *pos;

        //MOVED DOWN HERE FROM ABOVE 04/28/03 CRW
        //SHOULDN"T BE POPULATING  ACL PRIOR TO COMPLETION OF ALL CHECKS
        //5-c) Validate delta scope (don't discard on failure - quarantine)
        if(!_ValidateDeltaScope(targetCert, *pos, scope, crlList, quarantinedCRLs, acl))
        {
            DISCARD_CRL_AND_CONTINUE
        }

        ++pos; //update here instead of in for statement to account for calls to erase
    }
}

//5
bool CPKIFX509CRLCheckerImpl::DoWeHaveEverythingWeNeed(
    const CPKIFCertificatePtr& targetCert, 
    CPKIFCRLList& crlList,
    CPKIFCRLList& quarantinedCRLs)
{
    LOG_STRING_DEBUG("CPKIFX509CRLCheckerImpl::DoWeHaveEverythingWeNeed", TOOLKIT_PATH_MISC, 0, this);

    //added list compilation 04/28/03 CRW
    CPKIFCRLList tmpList;
    copy(crlList.begin(), crlList.end(), back_inserter(tmpList));
    copy(quarantinedCRLs.begin(), quarantinedCRLs.end(), back_inserter(tmpList));

    //5-a) Process critical CRL DP and/or freshestCRL
    if(!ProcessCriticalCertExtensions(targetCert, tmpList))
        return false;

    //5-b) Process reason codes of interest
    if(!_ProcessReasonCodesOfInterest(targetCert, crlList, m_reasons))
        return false;

    //5-d) Discard extraneous CRLs
    _QuarantineExtraneousCRLs(targetCert, crlList, quarantinedCRLs);

    //return empty check just for sake of sanity
    return !crlList.empty();
}

//6) 
void CPKIFX509CRLCheckerImpl::SeeIfCertHasBeenRevoked(
    const CPKIFCertificatePtr& targetCert, 
    AssociatedCRLsList& crlList,
    RevocationStatus& status, 
    CPKIFCertStatusPtr& certStatus,
    CPKIFCRLInfoPtr& crlInfo)
{
    LOG_STRING_DEBUG("CPKIFX509CRLCheckerImpl::SeeIfCertHasBeenRevoked", TOOLKIT_PATH_MISC, 0, this);

    CPKIFCRLEntryPtr crlEntry, deltaCRLEntry;
    status = NOT_REVOKED;

    //this function assumes that the list of CRLs passed in is complete with regard to the target cert and
    //simply iterates over the list asking each CRL is the cert has been revoked.
    AssociatedCRLsList::iterator pos;
    AssociatedCRLsList::iterator end = crlList.end();
    for(pos = crlList.begin(); pos != end; ++pos)
    {
        std::vector<CPKIFX509ExtensionPtr> processedExts;
        CPKIFCRLPtr base = (*pos)->m_base;
        bool onHold = false;

        //all CRLs that we check get reported back
        crlInfo->AddCRL(base);

        if(base->CertOnThisCRL(targetCert, crlEntry))
        {
            CPKIFCRLReasonPtr reason = crlEntry->GetExtension<CPKIFCRLReason>();
            if(reason != (CPKIFCRLReason*)NULL && reason->CertificateHold())
            {
                //if cert is on hold then sit tight and inspect the delta
                onHold = true;
                crlInfo->SetCRLEntry(crlEntry);
                certStatus->SetDiagnosticCode(PATH_CERT_REVOKED);
                status = REVOKED;

                //added 4/7/2004
                processedExts.push_back(reason);
            }
            else
            {
                //added 4/7/2004
                if(reason != (CPKIFCRLReason*)NULL)
                    processedExts.push_back(reason);

                //prepare CRL info w/ CRL entry
                crlInfo->SetCRLEntry(crlEntry);

                certStatus->SetDiagnosticCode(PATH_CERT_REVOKED);

                //change the status to revoked
                status = REVOKED;
                break;
            }
        }

        //added 4/7/2004
        if(crlEntry != (CPKIFCRLEntry*)NULL && crlEntry->AreThereAnyUnprocessedCriticalExtensions(processedExts))
        {
            throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER, PATH_UNPROCESSED_CRITICAL_EXTENSION);
        }

        //just check the frontmost delta
        if(!(*pos)->m_deltas.empty())
        {
            CPKIFCRLPtr delta = (*pos)->m_deltas.front();
            crlInfo->AddCRL(delta);
            if(delta->CertOnThisCRL(targetCert, deltaCRLEntry))
            {
                CPKIFCRLReasonPtr deltaReason = deltaCRLEntry->GetExtension<CPKIFCRLReason>();
                if(deltaReason != (CPKIFCRLReason*)NULL && deltaReason->RemoveFromCRL())
                {
                    //if cert is on hold then sit tight and inspect the delta
                    onHold = false;
                    certStatus->SetDiagnosticCode(0);
                    status = NOT_REVOKED;
                }
                else
                {
                    //prepare CRL info w/ CRL entry
                    crlInfo->SetCRLEntry(deltaCRLEntry);

                    certStatus->SetDiagnosticCode(PATH_CERT_REVOKED);

                    //change the status to revoked
                    status = REVOKED;
                    break;
                }
            }
        }

        //go ahead and bail out after checking the front crl/delta group (the frontmost
        //should always be most recent).  remove following line if checking all
        //available CRLs is desired (it's not necessary and could lead to trouble
        //in onHold cases)
        //break; //added 04/26/2003 - removed 4/25/2006 to permit checking where reason codes are checked
    }

    //update certStatus with status and crlInfo
    certStatus->AddRevocationSource(REVSOURCE_CRL, REV_INFO_CAST(crlInfo), status);
    certStatus->SetRevocationStatus(status);
    if(REVOKED == status)
        certStatus->SetDiagnosticCode(PATH_CERT_REVOKED);
    else if (NOT_CHECKED == status)
        certStatus->SetDiagnosticCode(PATH_CERT_REVOCATION_STATUS_NOT_DETERMINED);
    else
        certStatus->SetDiagnosticCode(0);
    return;
}

//functions that are called by the above functions
//commented out 8/26/2004 - unused
/*bool CPKIFX509CRLChecker::ValidatePath(CPKIFCertificatePtr& signersCert)
{
    LOG_STRING_DEBUG("CPKIFX509CRLChecker::ValidatePath(CPKIFCertificatePtr& signersCert)", TOOLKIT_PATH_MISC, 0, this);

    //get pointer to necessary interfaces
    IPKIFPathValidate* pv = GetMediatorFromParent<IPKIFPathValidate>();
    IPKIFPathBuild* pb = GetMediatorFromParent<IPKIFPathBuild>();
    if(NULL == pv || NULL == pb)
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER,COMMON_MEDIATOR_MISSING,"One or both of the IPKIFPathValidate or IPKIFPathBuild interfaces was not available.");

    //declare a path and set the target cert
    CPKIFCertificatePath path;
    path.SetTarget(signersCert);

    //prepare path settings
    if(m_impl->m_settings != (CPKIFPathSettings*)NULL)
    {
        //if settings have been set from outside - use those
        path.SetPathSettings(m_impl->m_settings);
    }
    else
    {
        //otherwise declare default settings
        CPKIFPathSettingsPtr settings(new CPKIFPathSettings);
        path.SetPathSettings(m_impl->m_settings);
    }

    //try to build a path
    if(!pb->BuildPath(path))
        return false;

    //validate the path
    CPKIFPathValidationResults results;
    CPKIFFuncStoragePtr empty;
    if(!pv->ValidatePath(path, results, empty))
        return false;
    
    RevocationStatus minAcceptable = NOT_REVOKED;

    //return a bool reflecting the status
    RevocationStatus rStatus = results.GetRevocationStatusMostSevere();
    return rStatus == minAcceptable;
}
*/
//ADDED 7/18
void KeyUsageCheckerCRL(
    const CPKIFCertificateNodeEntryPtr& certNode, 
    CPKIFPathValidationResults& results, 
    CertificateType type)
{
    if(EE == type)
    {
        //make sure EE cert has a key usage extension with CRLSign
        CPKIFCertificatePtr curCert = certNode->GetCert();
        CPKIFKeyUsagePtr keyUsage = curCert->GetExtension<CPKIFKeyUsage>();
        if(keyUsage != (CPKIFKeyUsage*)NULL)
        {
            if(keyUsage->CRLSign())
            {
                CPKIFX509ExtensionPtr keyUsage2 = keyUsage;
                certNode->MarkExtensionAsProcessed(keyUsage2);
            }
        }

        //don't let unprocessed basic constraints foul us up
        CPKIFBasicConstraintsPtr bc = curCert->GetExtension<CPKIFBasicConstraints>();
        if(bc != (CPKIFBasicConstraints*)NULL)
        {
            CPKIFX509ExtensionPtr bc2 = bc;
            certNode->MarkExtensionAsProcessed(bc2);
        }
    }

    //process CA certs here or in a different functor
}
//Functor<void, TYPELIST_3(const CPKIFCertificateNodeEntryPtr&,CPKIFPathValidationResults&, CertificateType)> keyUsageFunctor_CRL(KeyUsageCheckerCRL);

//added settings param 9/26/03
bool CPKIFX509CRLCheckerImpl::PerformCurrencyAndSignatureChecks(
    const CPKIFCertificatePtr& targetCert, 
    IPKIFNameAndKey* targetCertIssuersCertNK, 
    const CPKIFCertificatePtr& issuersCert, 
    CPKIFCRLPtr& crl, 
    const CPKIFX509CRLChecker::CRLAUTHORITY authority,
    bool validatePathToDirectCRLs, 
    std::vector<CPKIFX509ExtensionPtr>& processedExts, 
    bool requireFresh, 
    CPKIFPathSettingsPtr& settings,
    IPKIFTrustAnchorPtr& rootFromPath)
{
    LOG_STRING_DEBUG("CPKIFX509CRLCheckerImpl::PerformCurrencyAndSignatureChecks", TOOLKIT_PATH_MISC, 0, this);

    CPKIFFuncStoragePtr keyUsageFunctor_CRL(new CPKIFFuncStorage(KeyUsageCheckerCRL));

    //changed from current time to settings-based time - 7/19/2004
    CPKIFTimePtr curTime = settings->GetValidationTime();

    //check the date on the CRL
    //added thisUpdate check - 7/19/2004
    CPKIFTimePtr thisUpdate = crl->ThisUpdate();
    CPKIFDurationPtr duration = settings->GetDuration();
    bool requireRecent = settings->GetRequireSufficientlyRecent();
    CPKIFTimePtr sufficientlyRecent(new CPKIFTime(*curTime - *duration));

    if(requireRecent && (thisUpdate != (CPKIFTime*)NULL && *thisUpdate < *sufficientlyRecent))
        return false; //if we require fresh CRLs and the curTime is past the nextUpdate then return false

    CPKIFTimePtr nextUpdate = crl->NextUpdate();
    if(requireFresh && nextUpdate != (CPKIFTime*)NULL && *curTime > *nextUpdate)
        return false; //if we require fresh CRLs and the curTime is past the nextUpdate then return false

    //set up some variables for use in calculating hash of CRL (alg will be set up below)
    char hashResult[MAXHASH];
    int nResultLen = MAXHASH;
    PKIFCRYPTO::HASH_ALG hashAlg = PKIFCRYPTO::SHA1;

    //for now we are supporting MD5 and SHA1 only adjust the below code accordingly when and if that changes
    CPKIFAlgorithmIdentifierPtr sigAlg = crl->SignatureAlgorithm();
    CPKIFOIDPtr aTmpOID = sigAlg->oid();
    if(!GetCACHashAlg(aTmpOID/*sigAlg->oid()*/, &hashAlg))
        throw CPKIFPathException(TOOLKIT_PATH_CRL_CHECKER, CRYPTO_ALG_NOT_SUPPORTED);

    IPKIFCryptoMisc* cryptoMisc = m_parent->GetMediatorFromParent<IPKIFCryptoMisc>();
    IPKIFCryptoRawOperations* crypto = m_parent->GetMediatorFromParent<IPKIFCryptoRawOperations>();

    //obtain the hash of the to-be-signed CRL
    if(!_GetHashOfToBeSignedCRL2(crl, cryptoMisc, hashAlg, (unsigned char*)hashResult, &nResultLen))
        return false;

    //get the CRL signature in a buffer
    CPKIFBufferPtr sigBuf = crl->Signature();

    PKIInfoSource source = LOCAL;
    CPKIFCertificateList crlIssuerCerts;

    IPKIFPathValidate* pv = m_parent->GetMediatorFromParent<IPKIFPathValidate>();
    IPKIFPathBuild* pb = m_parent->GetMediatorFromParent<IPKIFPathBuild>();

    //----------------------------------------------------------------------------------------------------
    CPKIFTrustRoot* issAsCertTa = dynamic_cast<CPKIFTrustRoot*>(targetCertIssuersCertNK);
    CPKIFCertificate* issAsCert = dynamic_cast<CPKIFCertificate*>(targetCertIssuersCertNK);
    if(!issAsCertTa && !issAsCert)
    {
        //the issuer is a non-cert TA object

        //stuff the cert in a key material object
        CPKIFKeyMaterial key;
        CPKIFSubjectPublicKeyInfoPtr spki = targetCertIssuersCertNK->GetSubjectPublicKeyInfo();
        key.SetSubjectPublicKeyInfo(spki);

        //see if it verifies - if not move on
        try
        {
            if(crypto->Verify(key, (unsigned char*)hashResult, nResultLen, (unsigned char*)sigBuf->GetBuffer(), sigBuf->GetLength(), hashAlg))
            {
                return true;
            }
        }
        catch(CPKIFException&)
        {
        }
    }
    //----------------------------------------------------------------------------------------------------
    do
    {
        //get a list of candidate CRL issuer certs
        if(!_GetCRLIssuersCert(crl, targetCertIssuersCertNK, issuersCert, crlIssuerCerts, source, m_parent/*this*/, authority, settings))
        {
            //changed from simple break to conditional break 12/8/2003
            if(REMOTE == source)
            {
                break;
            }
            else
            {
                source = REMOTE;
                continue;
            }
        }

        //added verification re-attempt w/ working params stuff - 04/18/2003
        bool reattemptWithWorkingParams = false;
        
        CPKIFCertificateList::iterator pos;
        CPKIFCertificateList::iterator end = crlIssuerCerts.end();
        for(pos = crlIssuerCerts.begin(); pos != end; ++pos)
        {
            //check the public key alg of the cert - if it doesn't match try the next one
            CPKIFAlgorithmIdentifierPtr certAlg = (*pos)->SubjectPublicKeyInfo()->alg();
            if(GetAlgClass(certAlg) != GetAlgClass(sigAlg))
                continue;

            //make sure cert has proper key usage - if not move on to the next one
            CPKIFKeyUsagePtr ku = (*pos)->GetExtension<CPKIFKeyUsage>();
            if(ku != (CPKIFKeyUsage*)NULL && !ku->CRLSign())
                continue;

            //stuff the cert in a key material object
            CPKIFKeyMaterial key;
            CPKIFBufferPtr certBuf = (*pos)->Encoded();
            key.SetCertificate(certBuf->GetBuffer(), certBuf->GetLength());

            //see if it verifies - if not move on
            try
            {
                if(!crypto->Verify(key, (unsigned char*)hashResult, nResultLen, (unsigned char*)sigBuf->GetBuffer(), sigBuf->GetLength(), hashAlg))
                    continue;
            }
            catch(CPKIFException& e)
            {
                if( PKIFCAPING_KEY_IMPORT_FAILED == e.GetErrorCode() || 
                    PKIFCAPI_KEY_IMPORT_FAILED == e.GetErrorCode() || 
                    PKIF_CRYPTOPP_RAW_IMPORT_FAILED == e.GetErrorCode() ||
                    PKIFNSS_CERT_IMPORT_FAILED == e.GetErrorCode())
                        reattemptWithWorkingParams = true;
                else
                    throw e;
            }

            IPKIFNameAndKey* posNK = dynamic_cast<IPKIFNameAndKey*>(&(*(*pos)));
            if(/*CPKIFX509CRLChecker::CRLAUTHORITY::CA_DIRECT == authority*/
                *posNK == *targetCertIssuersCertNK
                && false == validatePathToDirectCRLs && false == reattemptWithWorkingParams)
                return true;

            //guard against infinite loop (replaced with better guard below)
            if(*targetCert == *(*pos))
                return false; //changed from return false 9/12/03 then back again - 12/4/2003

            //prepare a path object
            CPKIFCertificatePath path;
            path.SetTarget(*pos);
            path.SetPathSettings(settings);

            CPKIFCertificateNodeEntryPtr targetAsNode(new CPKIFCertificateNodeEntry);
            targetAsNode->SetCert(targetCert);

            do
            {
                //build and validate a path to the cert - if it fails move on
                bool pB = pb->BuildPath(path);
                if(!pB)
                    break;

                //guard against infinite loop - 9/12/03
                CPKIFCertificateNodeList certsFromPath;
                path.GetPath(certsFromPath);
                GottaMatch<CPKIFCertificateNodeEntryPtr> gm;
                gm.SetRHS(targetAsNode);
                CPKIFCertificateNodeList::iterator certsFromPathEnd = certsFromPath.end();
                if(certsFromPathEnd != find_if(certsFromPath.begin(), certsFromPath.end(), gm))
                {
                    //if we found the target on the path to the CRL then ignore this path
                    continue;
                }

                //require the same trust anchor as the certification path
                if(rootFromPath != (CPKIFTrustRoot*)NULL)
                {
                    IPKIFTrustAnchorPtr candidateRoot;
                    path.GetTrustRoot(candidateRoot);
                    if(candidateRoot != (CPKIFTrustRoot*)NULL)
                    {
                        if(!(*candidateRoot == *rootFromPath))
                                continue;
                    }
                }

                CPKIFPathValidationResults results;
                CPKIFFuncStoragePtr empty;
                pv->SetAdditionalCertificateChecks(keyUsageFunctor_CRL);
                pv->ValidatePath(path, results, empty);
                if(results.PathSuccessfullyValidated())
                {
                    if(reattemptWithWorkingParams)
                    {
                        CPKIFAlgorithmIdentifierPtr wp = results.GetWorkingParams();
                        key.SetWorkingParameters(wp);
                        if(!crypto->Verify(key, (unsigned char*)hashResult, nResultLen, (unsigned char*)sigBuf->GetBuffer(), sigBuf->GetLength(), hashAlg))
                            continue;
                        else
                            return true;
                    }
                    else
                        return true;
                }
            }while(1);
        }

        if(LOCAL == source)
        {
            source = REMOTE;
            LOG_STRING_INFO("Failed to find necessary CRL signer certificate using LOCAL sources.  Checking REMOTE sources.", m_parent->thisComponent, 0, this);
        }
        else
            break;
    }while(1);  //loop termination occurs when _GetCRLIssuersCert fails to return any candidate certs
                //or when validation is successful

    return false;
}

//----------------------------------------------------------------------------------------------------
//
//  PUBLIC MEMBER FUNCTIONS
//
//----------------------------------------------------------------------------------------------------
CPKIFX509CRLChecker::CPKIFX509CRLChecker(void):m_impl(new CPKIFX509CRLCheckerImpl)
{
    m_impl->m_parent = this;
    LOG_STRING_DEBUG("CPKIFX509CRLChecker::CPKIFX509CRLChecker(void)", TOOLKIT_PATH_MISC, 0, this);
}
CPKIFX509CRLChecker::~CPKIFX509CRLChecker(void)
{
    LOG_STRING_DEBUG("CPKIFX509CRLChecker::~CPKIFX509CRLChecker(void)", TOOLKIT_PATH_MISC, 0, this);
    delete m_impl;
    m_impl = '\0';
}
void CPKIFX509CRLChecker::Initialize() 
{
    LOG_STRING_DEBUG("CPKIFX509CRLChecker::Initialize()", TOOLKIT_PATH_MISC, 0, this);
}
bool CPKIFX509CRLChecker::CheckStatus(
    const CPKIFCertificatePtr& targetCert,  //IN: cert for which revocation status is sought
    const CPKIFCertificatePtr& issuersCert, //IN: cert of targetCert's issuer
    RevocationStatus& status,               //OUT: revocation status
    CPKIFCertStatusPtr& certStatus)         //OUT: status info (i.e. CRLs, CRL entry)
{
    LOG_STRING_DEBUG("CPKIFX509CRLChecker::CheckStatus", TOOLKIT_PATH_MISC, 0, this);

    //This function simply calls the internal status checker with the flag to verify 
    //path to direct CRLs issuer set to true.
    if(!m_impl->m_settings)
    {
        CPKIFPathSettingsPtr settings(new CPKIFPathSettings);
        m_impl->m_settings = settings;
    }
    IPKIFTrustAnchorPtr emptyRoot;

    IPKIFNameAndKey* issuersCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*issuersCert));
    return m_impl->CheckStatusInternal(targetCert, issuersCertNK, issuersCert, status, certStatus, true, m_impl->m_settings, emptyRoot);
}
bool CPKIFX509CRLChecker::CheckStatusPath(
    CPKIFCertificatePath& path, //IN/OUT: validated path w/ certs for which revocation status is sought
    RevocationStatus& status)   //OUT: low-water mark of revocation status in path                                       
{
    LOG_STRING_DEBUG("CPKIFX509CRLChecker::CheckStatusPath", TOOLKIT_PATH_MISC, 0, this);

    //initialize the outbound low-water revocation status
    status = NOT_CHECKED;

    //remove any CRLs from the path's CRL list - we'll populate it below
    //rev status info is now stored solely on cert status object
    //path.ClearCRLs(); 

    //get certs from path
    CPKIFCertificateNodeList certNodeList;
    path.GetPath(certNodeList);

    //get the trust root from the path
    IPKIFTrustAnchorPtr root;
    path.GetTrustRoot(root);

    //variables used in the following loop
    bool statusSet = false;                     //iterator to indicate if status has been set
    CPKIFCertificatePtr curCert, issuersCert;   //pointers to relevant certs
    IPKIFNameAndKeyPtr issuersCertNK;       
    CPKIFCertStatusPtr curCertStatus;           //pointer to cert status object for current cert
    RevocationStatus rStatus = NOT_CHECKED, pathStatus = NOT_CHECKED;                   //revocation status of current cert

    //set the initial curCert value to the trust root of the path to prepare for first iteration
    //CPKIFTrustRoot* ta = dynamic_cast<CPKIFTrustRoot*>(&(*(root)));
    //if(ta != NULL)
    //  ta->GetCert(issuersCert);

    //issuersCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*(root)));

    issuersCertNK = dynamic_pointer_cast<IPKIFNameAndKey, IPKIFTrustAnchor>(root);


    CPKIFPathSettingsPtr settings;
    path.GetPathSettings(settings);

    //iterate over all certs in the path and invoke the CheckStatusInternal function
    CPKIFCertificateNodeList::iterator pos;
    CPKIFCertificateNodeList::iterator end = certNodeList.end();
    for(pos = certNodeList.begin(); pos != end; ++pos)
    {
        //initialize loop variables for this iteration
        //issuersCert = curCert;
        curCert = (*pos)->GetCert();
        curCertStatus = (*pos)->GetStatus();

        if(NOT_CHECKED != curCertStatus->GetRevocationStatus())
        {
            pathStatus = min(pathStatus, curCertStatus->GetRevocationStatus());

            issuersCert = curCert;
            //issuersCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*(curCert)));
            issuersCertNK = dynamic_pointer_cast<IPKIFNameAndKey,CPKIFCertificate>(curCert);
            continue;
        }
        rStatus = NOT_CHECKED;

        //added noCheck check 2/4/2004
        CPKIFX509ExtensionPtr ext;
        curCert->GetExtensionByOID(*g_ocspNoCheck, ext);

        //if nocheck extension is present then relax requirement to check revocation
        if(ext != (CPKIFX509Extension*)NULL)
        {
            pathStatus = min(status, NOT_REVOKED);
        }
        else
        {
            //We pass false for the last parameter as this function assumes that the path
            //has been validated and thus we need not build/validate a path to issuers of 
            //direct CRLs. 
            m_impl->CheckStatusInternal(curCert, issuersCertNK.get(), issuersCert, rStatus, curCertStatus, false, settings, root);
            if(!statusSet)
            {
                pathStatus = rStatus;
                statusSet = true;
            }
            else
                pathStatus = min(pathStatus, rStatus);
        }

        issuersCert = curCert;
        //issuersCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*(curCert)));
        issuersCertNK = dynamic_pointer_cast<IPKIFNameAndKey,CPKIFCertificate>(curCert);
    }

    status = pathStatus;
    return status != NOT_CHECKED;
}
void CPKIFX509CRLChecker::SetReasonCodesOfInterest(
    CPKIFReasonFlagsPtr& reasons)
{
    m_impl->m_reasons = reasons;
}
CPKIFReasonFlagsPtr CPKIFX509CRLChecker::GetReasonCodesOfInterest() const
{
    return m_impl->m_reasons;
}

CPKIFPathSettingsPtr CPKIFX509CRLChecker::GetPathSettings() const
{
    return m_impl->m_settings;
}
void CPKIFX509CRLChecker::SetPathSettings(CPKIFPathSettingsPtr& settings)
{
    m_impl->m_settings = settings;
}