Module: CPKIFX509CRLChecker
Definition in file CCACX509CRLChecker.cpp.
#include "PKIFX509CRLChecker.h"
#include "PKIFCertificatePath.h"
#include "PKIFErrors.h"
#include "PKIFCacheInterfaces.h"
#include "PKIFPathInterfaces.h"
#include "PKIFBasicPathState2.h"
#include "GeneralNamesCompare.h"
#include "Certificate.h"
#include "SubjectPublicKeyInfo.h"
#include "CRL.h"
#include "CRLEntry.h"
#include "PKIFCRLNodeEntry.h"
#include "AuthorityKeyIdentifier.h"
#include "SubjectKeyIdentifier.h"
#include "PolicyInformationSet.h"
#include "PolicyMappings.h"
#include "DeltaCRLIndicator.h"
#include "IssuingDistributionPoint.h"
#include "CRLDistributionPoints.h"
#include "CRLDistributionPoint.h"
#include "DistributionPointName.h"
#include "PKIFCRLInfo.h"
#include "GeneralName.h"
#include "AlgorithmIdentifier.h"
#include "BasicConstraints.h"
#include "CRLNumber.h"
#include "CRLStreamIdentifier.h"
#include "KeyUsage.h"
#include "FreshestCRL.h"
#include "Buffer.h"
#include "CRLReason.h"
#include "GottaMatch.h"
#include "PKIFTime.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFCryptoRawOperations.h"
#include "IPKIFHashContext.h"
#include "CertificateNodeListWithSourceInfo.h"
#include "PKIFPathSettings.h"
#include "PKIFCertStatus.h"
#include "ReasonFlags.h"
#include "ASN1Helper.h"
#include "PKIX1Explicit88.h"
#include "IPKIFCRLRepository.h"
#include "boost/numeric/conversion/cast.hpp"
#include <iterator>
#include "ToolkitUtils.h"
#include "PKIFCryptoErrors.h"
#include "PKIFCryptoPPErrors.h"
#include "PKIFNSSErrors.h"
#include "PKIFKeyMaterial.h"
#include "CRLType.h"
Go to the source code of this file.
Classes | |
| class | ReasonCodeCheck |
| class | DPCompare |
| class | NottaMatch< T > |
| class | ScopeCompare |
Defines | |
| #define | DISCARD_CRL_AND_CONTINUE |
Functions | |
| bool | scoreCompare (const CPKIFCertificateNodeEntryPtr &lhs, const CPKIFCertificateNodeEntryPtr &rhs) |
| bool | KeyIDsMatch (CPKIFAuthorityKeyIdentifierPtr &akid, CPKIFCertificatePtr &curCert) |
| bool | SomeMatch (CPKIFPolicyInformationSetPtr &fromCert, CPKIFPolicyInformationListPtr &polsFromPrevCert, CPKIFPolicyMappingsPtr &policyMappings) |
| CPKIFCRLTypePtr | _TypeOfCRL (const CPKIFCRLPtr &crl) |
| CPKIFX509CRLChecker::CERTTYPES | _ClassifyCert (const CPKIFCertificatePtr &targetCert) |
| bool | _ValidateCRLIssuerName2 (const CPKIFCertificatePtr &targetCert, CPKIFCRLDistributionPointListPtr &dpsFromCRLDP, const CPKIFCRLPtr &crl, CPKIFX509CRLChecker::CRLSCOPE scope, CPKIFCRLDistributionPointPtr &activeCRLDP) |
| bool | _ValidateDP2 (CPKIFCRLDistributionPointListPtr &dpsFromCRLDP, const CPKIFCRLPtr &crl, CPKIFX509CRLChecker::CRLSCOPE scope, CPKIFCRLDistributionPointPtr &activeCRLDP, CPKIFX509CRLChecker::CRLREASONS reasons) |
| bool | _ValidateCRLAuthority (const CPKIFCertificatePtr &targetCert, const CPKIFCRLPtr &crl, CPKIFX509CRLChecker::CRLAUTHORITY authority) |
| int | _CompareCRLNumbers (const char *lhs, const char *rhs) |
| bool | _ValidateDeltaScope (const CPKIFCertificatePtr &targetCert, const CPKIFCRLPtr &crl, CPKIFX509CRLChecker::CRLSCOPE scope, CPKIFCRLList &crlList, CPKIFCRLList &quarantinedDeltas, AssociatedCRLsList &acl) |
| bool | ProcessCriticalCertExtensions (const CPKIFCertificatePtr &targetCert, CPKIFCRLList &crlList) |
| bool | _ProcessReasonCodesOfInterest (const CPKIFCertificatePtr &targetCert, CPKIFCRLList &crlList, CPKIFReasonFlagsPtr reasons) |
| void | _QuarantineExtraneousCRLs (const CPKIFCertificatePtr &targetCert, CPKIFCRLList &crlList, CPKIFCRLList &quarantinedCRLs) |
| bool | _GetHashOfToBeSignedCRL2 (const CPKIFCRLPtr &crl, IPKIFCryptoMisc *cryptoMisc, PKIFCRYPTO::HASH_ALG hashAlg, unsigned char *hashResult, int *hashResultLen) |
| bool | _GetCRLIssuersCert (CPKIFCRLPtr &crl, IPKIFNameAndKey *targetCertIssuersCertNK, const CPKIFCertificatePtr &targetCertIssuersCert, CPKIFCertificateList &crlIssuerCerts, PKIInfoSource source, IPKIFColleague *c, const CPKIFX509CRLChecker::CRLAUTHORITY authority, CPKIFPathSettingsPtr &settings) |
| void | KeyUsageCheckerCRL (const CPKIFCertificateNodeEntryPtr &certNode, CPKIFPathValidationResults &results, CertificateType type) |
Variables | |
| CPKIFOIDPtr | g_ocspNoCheck |
| bool | g_CompatibleScope [CPKIFX509CRLChecker::CT_UNSUPPORTED][CPKIFX509CRLChecker::CS_UNSUPPORTED] |
| bool | g_CompatibleCoverage [CPKIFX509CRLChecker::CT_UNSUPPORTED][CPKIFX509CRLChecker::CC_UNSUPPORTED] |
| #define DISCARD_CRL_AND_CONTINUE |
Value:
{ \
pos = crlList.erase(pos);\
end = crlList.end();\
continue;\
}
| CPKIFX509CRLChecker::CERTTYPES _ClassifyCert | ( | const CPKIFCertificatePtr & | targetCert | ) |
Interface: Subsystem
This function classifies certificate type
| targetCert | [in] Certificate to be classified |
Definition at line 495 of file CCACX509CRLChecker.cpp.
References CPKIFX509CRLChecker::CT_CA, CPKIFX509CRLChecker::CT_CA_DP, CPKIFX509CRLChecker::CT_EE, CPKIFX509CRLChecker::CT_EE_DP, LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
| int _CompareCRLNumbers | ( | const char * | lhs, | |
| const char * | rhs | |||
| ) |
Interface: Subsystem
This function compares CRL numbers
| If | lhs > rhs return -1 | |
| If | lhs == rhs return 0 | |
| If | lhs < rhs return 1 |
| lhs | [in] lhs value to compare |
| rhs | [in] rhs value to compare |
Definition at line 916 of file CCACX509CRLChecker.cpp.
References atob(), COMMON_INVALID_INPUT, LOG_STRING_DEBUG, TOOLKIT_PATH_CRL_CHECKER, and TOOLKIT_PATH_MISC.
Referenced by _ValidateDeltaScope().
| bool _GetCRLIssuersCert | ( | CPKIFCRLPtr & | crl, | |
| IPKIFNameAndKey * | targetCertIssuersCertNK, | |||
| const CPKIFCertificatePtr & | targetCertIssuersCert, | |||
| CPKIFCertificateList & | crlIssuerCerts, | |||
| PKIInfoSource | source, | |||
| IPKIFColleague * | c, | |||
| const CPKIFX509CRLChecker::CRLAUTHORITY | authority, | |||
| CPKIFPathSettingsPtr & | settings | |||
| ) |
Interface: Subsystem
This function is used to obtain CRL issuers certificate
| crl | [in] A reference to a smart pointer to CPKIFCRL object |
| targetCertIssuersCertNK | [out] |
| crlIssuerCerts | [out] A reference to CPKIFCertificateList object which will contain the obtained certs |
| c | [in] Pointer to an object that implements the IPKIFColleague interface |
| authority | [in] CRL authority (CA_DIRECT, CA_INDIRECT, CA_UNSUPPORTED) |
| settings | [in] Reference to a CPKIFPathSettings object containing path settings |
Definition at line 1594 of file CCACX509CRLChecker.cpp.
References CPKIFX509CRLChecker::CA_INDIRECT, CertIsSelfIssued(), IPKIFCertRepository::GetCertificates(), IPKIFColleague::GetMediatorFromParent(), IPKIFNameAndKey::GetSubjectName(), IPKIFTrustCache::GetTrustRoots(), KeyIDsMatch(), LOG_STRING_DEBUG, PKIFENUMS::REMOTE, scoreCompare(), SomeMatch(), and TOOLKIT_PATH_MISC.
| bool _GetHashOfToBeSignedCRL2 | ( | const CPKIFCRLPtr & | crl, | |
| IPKIFCryptoMisc * | cryptoMisc, | |||
| PKIFCRYPTO::HASH_ALG | hashAlg, | |||
| unsigned char * | hashResult, | |||
| int * | hashResultLen | |||
| ) |
Interface: Subsystem
This function takes a CRL, a pointer to a crypto misc interface, a hash alg and length of return buffer and returns the hash value of the to-be-signed CRL and the length of the hash.
| CPKIFPathException(COMMON_INVALID_INPUT) |
| crl | CRL to-be-signed part of which will be hashed |
| cryptoMisc | [in] Pointer to crypto misc interface |
| hashAlg | [in] Hash algorithm |
| hashResult | [out] Buffer that contains the resulting hash |
| hashResultLen | [out] Length of the resulting hash |
Definition at line 1489 of file CCACX509CRLChecker.cpp.
References COMMON_INVALID_INPUT, LOG_STRING_DEBUG, TOOLKIT_PATH_CRL_CHECKER, and TOOLKIT_PATH_MISC.
| bool _ProcessReasonCodesOfInterest | ( | const CPKIFCertificatePtr & | targetCert, | |
| CPKIFCRLList & | crlList, | |||
| CPKIFReasonFlagsPtr | reasons | |||
| ) |
Interface: External
This function is not implemented PKIF currently does not support reason-based partitioning
| targetCert | [in] Reference to a smart pointer to a CPKIFCertificate object containing the target certificate |
| crlList | [in] A reference to CPKIFCRLList obejct |
| reasons | [in] Reference to a smart pointer to a CPKIFReasonFlags object containing the reason codes of interest |
Definition at line 1265 of file CCACX509CRLChecker.cpp.
References CPKIFReasonFlags::GetAACompromise(), CPKIFReasonFlags::GetAffiliationChanged(), CPKIFReasonFlags::GetCACompromise(), CPKIFReasonFlags::GetCessationOfOperation(), CPKIFReasonFlags::GetKeyCompromise(), CPKIFReasonFlags::GetPrivilegeWithdrawn(), CPKIFReasonFlags::GetSuperseded(), CPKIFReasonFlags::GetUnused(), CPKIFReasonFlags::SetAACompromise(), CPKIFReasonFlags::SetAffiliationChanged(), CPKIFReasonFlags::SetCACompromise(), CPKIFReasonFlags::SetCertificateHold(), CPKIFReasonFlags::SetCessationOfOperation(), CPKIFReasonFlags::SetKeyCompromise(), CPKIFReasonFlags::SetPrivilegeWithdrawn(), ReasonCodeCheck::SetReasonCodesOfInterest(), CPKIFReasonFlags::SetSuperseded(), ReasonCodeCheck::SetTargetCert(), and CPKIFReasonFlags::SetUnused().
| void _QuarantineExtraneousCRLs | ( | const CPKIFCertificatePtr & | targetCert, | |
| CPKIFCRLList & | crlList, | |||
| CPKIFCRLList & | quarantinedCRLs | |||
| ) |
Interface: Subsystem
This function quarantines extraneous CRLs
| targetCert | [in] Target certificate |
| crlList | [in] CRL list that will be checked for extraneous CRLs |
| quarantinedCRLs | [out] CRL that will contain the extraneous CRLs |
Definition at line 1420 of file CCACX509CRLChecker.cpp.
References LOG_STRING_DEBUG, DPCompare::SetIDPName(), NottaMatch< T >::SetRHS(), and TOOLKIT_PATH_MISC.
| CPKIFCRLTypePtr _TypeOfCRL | ( | const CPKIFCRLPtr & | crl | ) |
Interface: Subsystem
This function classifies CRL type
| crl | CRL to be classified |
Definition at line 372 of file CCACX509CRLChecker.cpp.
References CPKIFX509CRLChecker::CA_DIRECT, CPKIFX509CRLChecker::CA_INDIRECT, CPKIFX509CRLChecker::CC_ALL, CPKIFX509CRLChecker::CC_CAONLY, CPKIFX509CRLChecker::CC_EEONLY, CPKIFX509CRLChecker::CR_ALLREASONS, CPKIFX509CRLChecker::CR_SOMEREASONS, CPKIFX509CRLChecker::CS_COMPLETE, CPKIFX509CRLChecker::CS_DELTA, CPKIFX509CRLChecker::CS_DP, LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
Referenced by ScopeCompare::operator()(), and ProcessCriticalCertExtensions().
| bool _ValidateCRLAuthority | ( | const CPKIFCertificatePtr & | targetCert, | |
| const CPKIFCRLPtr & | crl, | |||
| CPKIFX509CRLChecker::CRLAUTHORITY | authority | |||
| ) |
Interface: Subsystem
This function validates CRL authority (discard CRL upon failure)
If the CRL issuer name does not match the cert issuer name, the indirectCRL field must be present in the IDP.
| targetCert | [in] Reference to a smart pointer to a CPKIFCertificate object containing the target certificate |
| crl | [in] A refecence to a smart pointer to CPKIFCRL object |
| authority | [in] CRL authority (CA_DIRECT, CA_INDIRECT, CA_UNSUPPORTED) |
Definition at line 885 of file CCACX509CRLChecker.cpp.
References CPKIFX509CRLChecker::CA_INDIRECT, LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
| bool _ValidateCRLIssuerName2 | ( | const CPKIFCertificatePtr & | targetCert, | |
| CPKIFCRLDistributionPointListPtr & | dpsFromCRLDP, | |||
| const CPKIFCRLPtr & | crl, | |||
| CPKIFX509CRLChecker::CRLSCOPE | scope, | |||
| CPKIFCRLDistributionPointPtr & | activeCRLDP | |||
| ) |
Interface: Subsystem
This function validates CRL issuer name
| targetCert | [in] Target certificate |
| dpsFromCRLDP | [in] Distribution points from CRLDP |
| crl | [in] CRL to obtain crl issuer |
| scope | [in] Scope |
| activeCRLDP | [out] Active CRLDP |
Definition at line 598 of file CCACX509CRLChecker.cpp.
References CPKIFGeneralName::DIRECTORYNAME, LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
| bool _ValidateDeltaScope | ( | const CPKIFCertificatePtr & | targetCert, | |
| const CPKIFCRLPtr & | crl, | |||
| CPKIFX509CRLChecker::CRLSCOPE | scope, | |||
| CPKIFCRLList & | crlList, | |||
| CPKIFCRLList & | quarantinedDeltas, | |||
| AssociatedCRLsList & | acl | |||
| ) |
Interface: Subsystem
This function valiedates delta scope
| targetCert | [in] Reference to a smart pointer to a CPKIFCertificate object containing the target certificate |
| crl | [in] A refecence to a smart pointer to CPKIFCRL object |
| scope | [in] CRL scope (CS_COMPLETE, CS_DP, CS_DELTA, CS_DELTA_DP, CS_UNSUPPORTED) |
| crlList | [in] A reference to CPKIFCRLList obejct |
| quarantinedDeltas | [out] CRL that will contain the quarantined delta crls |
| acl | [in] A reference to AssociatedCRLsList obejct |
Definition at line 980 of file CCACX509CRLChecker.cpp.
References _CompareCRLNumbers(), CPKIFX509CRLChecker::CS_DELTA, CPKIFX509CRLChecker::CS_DELTA_DP, LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
| bool _ValidateDP2 | ( | CPKIFCRLDistributionPointListPtr & | dpsFromCRLDP, | |
| const CPKIFCRLPtr & | crl, | |||
| CPKIFX509CRLChecker::CRLSCOPE | scope, | |||
| CPKIFCRLDistributionPointPtr & | activeCRLDP, | |||
| CPKIFX509CRLChecker::CRLREASONS | reasons | |||
| ) |
Interface: Subsystem
This function validates distribution point
If reasons field is present in CRL DP, the onlySomeReasons field of the IDP shall be absent or
| dpsFromCRLDP | DPs to be validated |
| crl | CRL to be validated |
| scope | [in] Scope |
| activeCRLDP | [out] Active CRLDP |
| reasons | [out] Reasons |
Definition at line 687 of file CCACX509CRLChecker.cpp.
References CPKIFX509CRLChecker::CR_ALLREASONS, CPKIFX509CRLChecker::CS_DELTA_DP, CPKIFX509CRLChecker::CS_DP, LOG_STRING_DEBUG, GeneralNamesCompare::SetGeneralNames(), and TOOLKIT_PATH_MISC.
Referenced by ProcessCriticalCertExtensions().
| bool KeyIDsMatch | ( | CPKIFAuthorityKeyIdentifierPtr & | akid, | |
| CPKIFCertificatePtr & | curCert | |||
| ) |
Interface: Subsystem
This is a helper function that compares the AKID and SKID for a match
| akid | [in] The authority key id to compare |
| curCert | [in] Certificate from which SKID will be obtained |
Definition at line 133 of file CACDefaultScoring.cpp.
References CPKIFGeneralName::DIRECTORYNAME, LOG_STRING_DEBUG, stricmp, and TOOLKIT_PATH_MISC.
Referenced by _GetCRLIssuersCert(), CheckKIDsAndSignatures(), KeyIDsMatch(), KeyIDCompare::operator()(), and CPKIFDefaultScoring::ScoreAndSortNodes().
| void KeyUsageCheckerCRL | ( | const CPKIFCertificateNodeEntryPtr & | certNode, | |
| CPKIFPathValidationResults & | results, | |||
| CertificateType | type | |||
| ) |
Interface: Module
This function makes sure tah EE cert has a key usage extension with CRLSign
| certNode | [in] A reference to a pointer to CPKIFCertificateNodeEntry object which contains the cert |
| results | [in] Reference to a CPKIFPathValidationResults object containing the results of a validation operation |
| type | [in] CertificateType value indicating the type of certificate, e.g. EE or CA |
Definition at line 2489 of file CCACX509CRLChecker.cpp.
References PKIFENUMS::EE.
| bool ProcessCriticalCertExtensions | ( | const CPKIFCertificatePtr & | targetCert, | |
| CPKIFCRLList & | crlList | |||
| ) |
Interface: External
This function processed critical certificate extensions
| targetCert | [in] Targer certificate |
| crlList | [in] CRL list |
Definition at line 1099 of file CCACX509CRLChecker.cpp.
References _TypeOfCRL(), _ValidateDP2(), CPKIFX509CRLChecker::CS_COMPLETE, LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
| bool scoreCompare | ( | const CPKIFCertificateNodeEntryPtr & | lhs, | |
| const CPKIFCertificateNodeEntryPtr & | rhs | |||
| ) |
Interface: Subsystem
This is a helper function the compares the builder score on two CPKIFCertificateNodeEntry objects
| lhs | [in] Reference to smart pointer to a CPKIFCertificateNodeEntry object containing the lhs |
| rhs | [in] Reference to smart pointer to a CPKIFCertificateNodeEntry object containing the rhs |
Definition at line 95 of file CACDefaultScoring.cpp.
References LOG_STRING_DEBUG, and TOOLKIT_PATH_MISC.
Referenced by _GetCRLIssuersCert(), ScoreAndSortNodes(), and CPKIFDefaultScoring::ScoreAndSortNodes().
| bool SomeMatch | ( | CPKIFPolicyInformationSetPtr & | fromCert, | |
| CPKIFPolicyInformationListPtr & | polsFromPrevCert, | |||
| CPKIFPolicyMappingsPtr & | policyMappings | |||
| ) |
Interface: Subsystem
This is a helper function that compares policy information for some match
| fromCert | [in]A pointer to a reference to CPKIFPolicyInformationSet object containing the policies from certificate |
| polsFromPrevCert | [in]A pointer to a reference to CPKIFPolicyInformationSet object containing the policies from the previous certificate |
| policyMappings | [in]A pointer to a reference to CPKIFPolicyInformationSet object |
Definition at line 306 of file CACDefaultScoring.cpp.
References g_anyPolicy, and GottaMatch< T >::SetRHS().
Referenced by _GetCRLIssuersCert(), CheckPolicies(), CPKIFDefaultScoring::ScoreAndSortNodes(), and SomeMatch().
| bool g_CompatibleCoverage[CPKIFX509CRLChecker::CT_UNSUPPORTED][CPKIFX509CRLChecker::CC_UNSUPPORTED] |
Initial value:
{
{true, true, false},
{true, true, false},
{true, false, true},
{true, false, true}
}
Definition at line 203 of file CCACX509CRLChecker.cpp.
| bool g_CompatibleScope[CPKIFX509CRLChecker::CT_UNSUPPORTED][CPKIFX509CRLChecker::CS_UNSUPPORTED] |
Initial value:
{
{true, true, true, true},
{true, false, true, false},
{true, true, true, true},
{true, false, true, false}
}
Definition at line 195 of file CCACX509CRLChecker.cpp.
| CPKIFOIDPtr g_ocspNoCheck |
1.5.6