EnvelopedData.cpp

Go to the documentation of this file.

#include "EnvelopedData.h"
#include "private/PrivatePKIFCMSUtils.h"

#include "Attribute.h"
#include "Buffer.h"
#include "EncryptedContentInfo.h"
#include "OID.h"
#include "AlgorithmIdentifier.h"
#include "KEKRecipInfoDetails.h"
//#include "KARIDetails.h"
#include "RecipientInfo.h"
#include "SubjectKeyIdentifier.h"
#include "SubjectPublicKeyInfo.h"
#include "Name.h"
#include "KeyUsage.h"
#include "Certificate.h"
#include "CRL.h"

#include "PKIFFuncStorage.h"
#include "ToolkitUtils.h"
#include "PKIFMessageException.h"
#include "PKIFCMSMessageMemoryHelper.h"
#include "ASN1Helper.h"
#include "PKIFBase64.h"

#include "IPKIFDefaultKeyManagement.h"
#include "IPKIFCryptoKeyIDOperations.h"
#include "IPKIFPathBuild.h"
#include "IPKIFPathValidate.h"
#include "IPKIFCryptoRawOperations.h"
#include "IPKIFCryptoMisc.h"
#include "PKIFAlgorithm.h"
#include "IPKIFCryptoKeyAgree.h"

#include "PKIFCMSAttributeMediator2.h"

#include "CryptographicMessageSyntax2004.h"

#include <iterator>

struct CPKIFEnvelopedDataImpl
{
    

    CPKIFEnvelopedData *m_parent;
    CPKIFEnvelopedDataImpl () 
    {
        m_parent = NULL;
    }
    CPKIFEnvelopedDataImpl (CPKIFEnvelopedData  *p) 
    {
        m_parent = p;
    }

    CPKIFEnvelopedData::CMSVersion m_version;
    CPKIFCertificateList m_certificates;    //originator certs
    CPKIFCRLList m_crls;                    //originator crls
    CPKIFRecipientInfoList m_recipientInfos;

    CPKIFCertificateList m_recipients;
    CPKIFEncryptedContentInfoPtr m_dataToEncrypt;

    CPKIFAttributeList m_unprotectedAttributes;

    CPKIFBufferPtr m_decodeBuf; //added 10/20/03

    CPKIFPathSettingsPtr m_settings;

    CPKIFASNWrapper<CACCMSEnvelopedData>* m_envelopedData;
    PKIFCRYPTO::SYMKEY_ALG m_alg;
    PKIFCRYPTO::SYMKEY_MODE m_mode;

    CPKIFKEKRecipInfoDetailsList m_keks;
    //CPKIFKARIDetailsList m_karis;

    IPKIFMediatorPtr m_med;

    CPKIFCredentialPtr m_cred;

    //functions called by encode
    void PrepareEncryptedContent(CACCMSEnvelopedData* pEnvelopedData, unsigned char** keyData, int* keyDataLen);
    void PrepareRecipientInfos(CACCMSEnvelopedData* pEnvelopedData, unsigned char* keyData, int keyDataLen);
    void PrepareOriginatorInfo(CACCMSEnvelopedData* pEnvelopedData);

    //function called by decode
    void populateUnsignedAttributesVector(const CACCMSUnsignedAttributes& ua);

    //functions called by PrepareOriginatorInfo
    void AddCerts(CACCMSEnvelopedData* pEnvelopedData);
    void AddCRLs(CACCMSEnvelopedData* pEnvelopedData);

    void RemoveRecipInfos(CACCMSEnvelopedData* envelopedData);

    void MakeEnvelopedData();
    void FreeEnvelopedData();
};


//*****************************************************************************
//  utility functions (implemented in CACCMSUtils.cpp)
//*****************************************************************************


//*****************************************************************************
//  constructors, destructors, makzenfriez
//*****************************************************************************
CPKIFEnvelopedData::CPKIFEnvelopedData()
    :m_impl (new CPKIFEnvelopedDataImpl)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::CPKIFEnvelopedData()", TOOLKIT_CRYPTO_MISC, 0, this);
    m_impl->m_parent = this;
    m_impl->m_version = CMSv0;
    m_impl->m_alg = PKIFCRYPTO::TDES;
    m_impl->m_mode = PKIFCRYPTO::CBC;

    m_impl->m_envelopedData = NULL;
    m_impl->MakeEnvelopedData();

    SetContentType(g_envelopedData);
}
CPKIFEnvelopedData::~CPKIFEnvelopedData()
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::~CPKIFEnvelopedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    m_impl->FreeEnvelopedData();

    //added 10/7/2003
    //RemoveMediatorAssociations();

    delete m_impl;
    m_impl = NULL;
}

void CPKIFEnvelopedData::SetMediator(
    IPKIFMediatorPtr& m)
{
    m_impl->m_med = m;
}
IPKIFMediatorPtr CPKIFEnvelopedData::GetMediator()
{
    return m_impl->m_med;
}

void CPKIFEnvelopedDataImpl::MakeEnvelopedData()
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::MakeEnvelopedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    FreeEnvelopedData();

    //throw bad_alloc (this function is invoked from the constructor and ClearContent)
    m_envelopedData = new CPKIFASNWrapper<CACCMSEnvelopedData>( BEREncCACCMSEnvelopedData, BERDecCACCMSEnvelopedData );
}
void CPKIFEnvelopedDataImpl::FreeEnvelopedData()
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::FreeEnvelopedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    if(NULL != m_envelopedData)
        delete m_envelopedData;
    m_envelopedData = NULL;

    CPKIFBufferPtr emptyBP;
    m_decodeBuf = emptyBP;
}

//*****************************************************************************
//  field manipulation functions
//*****************************************************************************
void CPKIFEnvelopedData::SetAlgorithmAndMode(
    PKIFCRYPTO::SYMKEY_ALG alg,
    PKIFCRYPTO::SYMKEY_MODE mode)
{
    m_impl->m_alg = alg;
    m_impl->m_mode = mode;
}
PKIFCRYPTO::SYMKEY_ALG CPKIFEnvelopedData::GetAlgorithm() const
{
    return m_impl->m_alg;
}
PKIFCRYPTO::SYMKEY_MODE CPKIFEnvelopedData::GetMode() const
{
    return m_impl->m_mode;
}

//version (required)
CPKIFEnvelopedData::CMSVersion CPKIFEnvelopedData::GetVersion() const
{
    return m_impl->m_version;
}
void CPKIFEnvelopedData::SetDataToEncrypt(
    CPKIFEncryptedContentInfoPtr& buf)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::SetDataToEncrypt(CPKIFEncryptedContentInfoPtr& buf)", TOOLKIT_CRYPTO_MISC, 0, this);

    //This function can be used to set the data to encrypt to NULL.  It cannot
    //be used to set an incomplete data to encrypt structure.
    if(buf != (CPKIFEncryptedContentInfo*)NULL)
    {
        //this object MUST feature a content type oid and some content.
        //the alg id will be prepared automatically based on the key material.
        CPKIFOIDPtr tmpOID = buf->GetOID();
        CPKIFBufferPtr tmpBuf = buf->GetContent();
        if(tmpOID == (CPKIFOID*)NULL || tmpBuf == (CPKIFBuffer*)NULL)
            throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);
    }

    m_impl->m_dataToEncrypt = buf;
}
void CPKIFEnvelopedData::AddUnprotectedAttribute(
    CPKIFAttributePtr& attr)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddUnprotectedAttribute(CPKIFAttributePtr& attr)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(attr == (CPKIFAttribute*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //If we're adding following a call to decode, then we should first read the attributes
    //that were decoded prior to pushing the new attribute into the list.
    if(m_impl->m_unprotectedAttributes.empty())
    {
        CPKIFAttributeList ual;
        GetUnprotectedAttributes(ual);
    }

    //Push the new attribute into the list.
    m_impl->m_unprotectedAttributes.push_back(attr);
}
void CPKIFEnvelopedData::GetUnprotectedAttributes(
    CPKIFAttributeList& ual)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::GetUnprotectedAttributes(CPKIFAttributeList& ual)", TOOLKIT_CRYPTO_MISC, 0, this);

    ual.clear();

    //If m_unprotectedAttributes is not empty then we've already populated it and need not do so again.
    //If it's not empty, then we need to have a decoded object from which attributes will be read.
    if(m_impl->m_unprotectedAttributes.empty() && NULL != m_impl->m_envelopedData && NULL != m_impl->m_envelopedData->data() && (*m_impl->m_envelopedData)->m.unprotectedAttrsPresent)
        m_impl->populateUnsignedAttributesVector((*m_impl->m_envelopedData)->unprotectedAttrs);

    copy(m_impl->m_unprotectedAttributes.begin(),m_impl->m_unprotectedAttributes.end(), back_inserter(ual));
}

void CPKIFEnvelopedData::ClearContent()
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::ClearContent(bool removeMediatorAssociations)", TOOLKIT_CRYPTO_MISC, 0, this);

    //free and make
    m_impl->FreeEnvelopedData();
    m_impl->MakeEnvelopedData();

    //zero the version and reset alg and mode
    m_impl->m_version = CMSv0;
    m_impl->m_alg = PKIFCRYPTO::TDES;
    m_impl->m_mode = PKIFCRYPTO::CBC;

    //clear the lists
    m_impl->m_certificates.clear();
    m_impl->m_crls.clear();
    m_impl->m_recipientInfos.clear();
    m_impl->m_recipients.clear();

    m_impl->m_unprotectedAttributes.clear();
    m_impl->m_keks.clear();
    //m_impl->m_karis.clear();

    //create and assign empty smart pointers
    CPKIFEncryptedContentInfoPtr tmp;
    m_impl->m_dataToEncrypt = tmp;

    CPKIFPathSettingsPtr tmpSettings;
    m_impl->m_settings = tmpSettings;

    IPKIFMediatorPtr tmp2;
    m_impl->m_med = tmp2;

}

void CPKIFEnvelopedData::AddOriginatorCertificate(
    CPKIFCertificatePtr& cert) 
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddOriginatorCertificate(CPKIFCertificatePtr& cert)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(cert == (CPKIFCertificate*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //accept no empty certs
    CPKIFBufferPtr encCert = cert->Encoded();
    if(encCert == (CPKIFBuffer*)NULL || 0 == encCert->GetLength())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //if m_certs is empty - see if there are any from a decode operation
    if(m_impl->m_certificates.empty())
    {
        CPKIFCertificateList certs;
        GetOriginatorCertificates(certs);
    }

    m_impl->m_certificates.push_back(cert);
}
void CPKIFEnvelopedData::GetOriginatorCertificates(
    CPKIFCertificateList& certs)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::GetOriginatorCertificates(CPKIFCertificateList& certs)", TOOLKIT_CRYPTO_MISC, 0, this);

    //return list containing contents of m_certificates plus certs in m_signedData.
    //destroy certs in m_signedData after adding them to m_certificates (don't really
    //destroy certs - just change flag so they don't get ignored in the future).

    certs.clear();

    //first, update m_certificates with any certs from m_signedData
    if(NULL != m_impl->m_envelopedData && NULL != m_impl->m_envelopedData->data() && (*m_impl->m_envelopedData)->m.originatorInfoPresent && (*m_impl->m_envelopedData)->originatorInfo.m.certsPresent)
    {
        DListNode* iter = (*m_impl->m_envelopedData)->originatorInfo.certs.head;
        while(NULL != iter)
        {
            CACCMSCertificateChoices* curChoice = (CACCMSCertificateChoices*)iter->data;
            if(T_CACCMSCertificateChoices_certificate != curChoice->t)
            {
                iter = iter->next;
                continue;
            }

            ASN1OpenType* cert = (ASN1OpenType*)curChoice->u.certificate;
            
            try
            {
                CPKIFCertificatePtr newCert(new CPKIFCertificate());
                newCert->Decode(cert->data, cert->numocts);
                m_impl->m_certificates.push_back(newCert);
            }
            catch(CPKIFException&)
            {
                //as with invalid certs in a directory entry, don't fail if we can't 
                //parse a cert - just don't collect it
            }
            catch(std::bad_alloc& ba)
            {
                //empty the list and throw the exception
                m_impl->m_certificates.clear();
                throw ba;
            }

            iter = iter->next;
        }

        //change the flag on the data so we don't execute this condition again
        (*m_impl->m_envelopedData)->originatorInfo.m.certsPresent = 0;
    }

    //next, copy the contents of the m_certificates list to the certs list
    copy(m_impl->m_certificates.begin(), m_impl->m_certificates.end(), back_inserter(certs));
}
void CPKIFEnvelopedData::AddOriginatorCRL(
    CPKIFCRLPtr& crl) 
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddOriginatorCRL(CPKIFCRLPtr& crl)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(crl == (CPKIFCRL*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //accept no empty certs
    CPKIFBufferPtr encCRL = crl->Encoded();
    if(encCRL == (CPKIFBuffer*)NULL || 0 == encCRL->GetLength())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //if m_crls is empty - see if there are any from a decode operation
    if(m_impl->m_crls.empty())
    {
        CPKIFCRLList crls;
        GetOriginatorCRLs(crls);
    }

    m_impl->m_crls.push_back(crl);
}

void CPKIFEnvelopedData::SetOriginatorCredential(CPKIFCredentialPtr & cred)
{
    m_impl->m_cred = cred;
}

void CPKIFEnvelopedData::GetOriginatorCRLs(
    CPKIFCRLList& crls)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::GetOriginatorCRLs(CPKIFCRLList& crls)", TOOLKIT_CRYPTO_MISC, 0, this);

    //return list containing contents of m_crls plus crls in m_signedData.
    //destroy crls in m_signedData after adding them to m_crls (don't really
    //destroy crls - just change flag so they don't get ignored in the future).

    crls.clear();

    //first, update m_crls with any crls from m_signedData
    if(NULL != m_impl->m_envelopedData && NULL != m_impl->m_envelopedData->data() && (*m_impl->m_envelopedData)->m.originatorInfoPresent && (*m_impl->m_envelopedData)->originatorInfo.m.crlsPresent)
    {
        DListNode* iter = (*m_impl->m_envelopedData)->originatorInfo.crls.head;
        while(NULL != iter)
        {
            CACCMSRevocationInfoChoice* curChoice = (CACCMSRevocationInfoChoice*)iter->data;

            if(T_CACCMSRevocationInfoChoice_crl != curChoice->t)
            {
                iter = iter->next;
                continue;
            }

            ASN1OpenType* crl = (ASN1OpenType*)curChoice->u.crl;
            
            try
            {
                CPKIFCRLPtr newCRL(new CPKIFCRL());
                newCRL->Decode(crl->data, crl->numocts);
                m_impl->m_crls.push_back(newCRL);
            }
            catch(CPKIFException&)
            {
                //as with invalid crls in a directory entry, don't fail if we can't 
                //parse a crl - just don't collect it
            }
            catch(std::bad_alloc& ba)
            {
                //empty the list and throw the exception
                m_impl->m_certificates.clear();
                throw ba;
            }
    
            iter = iter->next;
        }

        //change the flag on the data so we don't execute this condition again
        (*m_impl->m_envelopedData)->originatorInfo.m.crlsPresent = 0;
    }

    //next, copy the contents of the m_crls list to the crls list
    copy(m_impl->m_crls.begin(), m_impl->m_crls.end(), back_inserter(crls));
}
void CPKIFEnvelopedData::AddRecipient(
    CPKIFCertificatePtr& cert,
    CMSPathValidationStatus minStatus) 
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddRecipient(CPKIFCertificatePtr& cert, CMSPathValidationStatus minStatus)", TOOLKIT_CRYPTO_MISC, 0, this);

    //NULL and empty checks are performed in the version of AddRecipient that is called below

    //throw bad_allocs
    CPKIFCertificatePathPtr path(new CPKIFCertificatePath);
    CPKIFPathValidationResultsPtr valResults(new CPKIFPathValidationResults);

    //throw any PKIFExceptions or bad_allocs
    AddRecipient(cert, path, valResults, minStatus);
}
void CPKIFEnvelopedData::AddRecipient(
    CPKIFKEKRecipInfoDetailsPtr& kek)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddRecipient(CPKIFKEKRecipInfoDetailsPtr& kek)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(kek == (CPKIFKEKRecipInfoDetails*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    m_impl->m_keks.push_back(kek);
}

//void CPKIFEnvelopedData::AddRecipient(
//  //!A smart poiter to CPKIFKEKRecipInfoDetails object which contains a symmetric key that can be used to
//  //!encrypt the content encryption key.
//  CPKIFKARIDetailsPtr & kari)
//{
//  LOG_STRING_DEBUG("CPKIFEnvelopedData::AddRecipient(CPKIFKARIDetailsPtr& kari)", TOOLKIT_CRYPTO_MISC, 0, this);
//
//  //accept no NULLs
//  if(kari == (CPKIFKARIDetailsPtr*)NULL)
//      throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);
//
//  m_impl->m_karis.push_back(kari);
//}

void CPKIFEnvelopedData::AddRecipient(
    CPKIFCertificatePtr& cert,
    CPKIFCertificatePathPtr& path,
    CPKIFPathValidationResultsPtr& valResults,
    CMSPathValidationStatus minStatus)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddRecipient(CPKIFCertificatePtr& cert, CPKIFCertificatePathPtr& path, CPKIFPathValidationResultsPtr& valResults, CMSPathValidationStatus minStatus)", TOOLKIT_CRYPTO_MISC, 0, this);

    //This function is used to add a recipient, i.e. a certificate that will be used to encrypt the key
    //that is used to encrypt the message.

    //added NULL path and results object 2/23/05
    CPKIFCertificatePathPtr tmpNULLPath;
    CPKIFPathValidationResultsPtr tmpNULLResults;

    //set outbound values to temps, 2/23/05
    path = tmpNULLPath;
    valResults = tmpNULLResults;

    //if the cert is NULL then we should complain to the application via an exception
    if(cert == (CPKIFCertificate*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "cert parameter is NULL.");

    //accept no empty certs
    CPKIFBufferPtr encCert = cert->Encoded();
    if(encCert == (CPKIFBuffer*)NULL || 0 == encCert->GetLength())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "cert parameter is empty");

    //if the caller does not require path validation then simply push the recipient
    if(PVS_NOT_VALIDATED == minStatus)
    {
        m_impl->m_recipients.push_back(cert);
        return;
    }

    //make sure we have the necessary mediator interfaces (these are the ones we use directly - there
    //may be others that are missing in which case the mediator that needs the missing interface will complain)
    if(NULL == m_impl->m_med)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    IPKIFPathBuild* cBuild = m_impl->m_med->GetMediator<IPKIFPathBuild>();
    if(NULL == cBuild)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFPathBuild interface is not available.");

    IPKIFPathValidate* cValidate = m_impl->m_med->GetMediator<IPKIFPathValidate>();
    if(NULL == cValidate)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFPathValidate interface is not available.");

    //determine if the certificate is an encryption cert - if it is not then throw an exception
    //(this check is performed as part of the path validation below - but we can fail early if we check now)
    CPKIFKeyUsagePtr keyUsage = cert->GetExtension<CPKIFKeyUsage>();
    if(keyUsage != (CPKIFKeyUsage*)NULL && !keyUsage->KeyEncipherment())
        throw CPKIFMessageException(thisComponent, MSG_INVALID_RECIP, "Recipient certificate is not valid for encryption purposes.");

    //added temporary path and results object 2/15/05
    CPKIFCertificatePathPtr tmpPath(new CPKIFCertificatePath);
    CPKIFPathValidationResultsPtr tmpResults(new CPKIFPathValidationResults);

    //set outbound values to temps, 2/15/05
    path = tmpPath;
    valResults = tmpResults;

    //next, we will attempt to build and validate a path to the recipient certificate
    tmpPath->SetTarget(cert);
    
    //if settings have been associated with this object use them, otherwise defer to the default 
    //settings (either set on the path processing mediator or defined the default permissive set)
    if(m_impl->m_settings != (CPKIFPathSettings*)NULL)
        tmpPath->SetPathSettings(m_impl->m_settings);

    //create a functor that checks the key usage bit on the EE cert
    //Functor<void, TYPELIST_3(const CPKIFCertificateNodeEntryPtr&, CPKIFPathValidationResults&, CertificateType)> keyUsageEncFunctor(keyUsageChecker_Encryption);
    CPKIFFuncStoragePtr keyUsageEncFunctor(new CPKIFFuncStorage(keyUsageChecker_Encryption));

    bool pushRecips = false;
    try
    {
        //added do/while and new breaks 2/15/05
        do
        {
            if(!cBuild->BuildPath(*tmpPath))
                break; //no build, break out and fail

            if(cValidate->ValidatePath(*tmpPath, *tmpResults, keyUsageEncFunctor))
            {
                switch(minStatus)
                {
                case PVS_CERT_PATH_VERIFIED:
                    if(tmpResults->GetBasicChecksSuccessfullyPerformed() && tmpResults->GetCertSignaturesVerified())
                        pushRecips = true;
                    break;
                case PVS_REV_STATUS_VERIFIED:
                    if(NOT_REVOKED == tmpResults->GetRevocationStatusMostSevere())
                        pushRecips = true;
                    break;
                }
            }
        }while(1 && !pushRecips); //loop until no path is found or good path is found
    }
    catch(CPKIFMessageException& me)
    {
        throw me;
    }
    catch(CPKIFException& e)
    {
        CPKIFMessageException me(thisComponent, MSG_INVALID_RECIP, "Failed to build a valid path to the recipient's certificate.");
        me.push_info(e);
        throw me;
    }

    if(pushRecips)
    {
        m_impl->m_recipients.push_back(cert);
    }
    else
        throw CPKIFMessageException(thisComponent, MSG_INVALID_RECIP, "Failed to build a valid path to the recipient's certificate.");
}
void CPKIFEnvelopedData::GetRecipientInfos(
    CPKIFRecipientInfoList& recipInfos) const
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::GetRecipientInfos(CPKIFRecipientInfoList& recipInfos)", TOOLKIT_CRYPTO_MISC, 0, this);

    recipInfos.clear();

    if(m_impl->m_recipientInfos.empty() && NULL != m_impl->m_envelopedData && NULL != m_impl->m_envelopedData->data())
    {
        CPKIFEnvelopedData* nonConstED = const_cast<CPKIFEnvelopedData*>(this);

        DListNode* iter = (*m_impl->m_envelopedData)->recipientInfos.head;
        while(NULL != iter)
        {
            CACCMSRecipientInfo* ri = (CACCMSRecipientInfo*)iter->data;
            
            try
            {
                CACASNWRAPPER_CREATE(CACCMSRecipientInfo, InfoWrapper);
                ASN1OpenType *data = InfoWrapper.Encode((CACCMSRecipientInfo*)iter->data);
                CPKIFBufferPtr riBuf(new CPKIFBuffer(data->data, data->numocts));
                delete data;
                
                //do fail if all recipient infos cannot be parsed
                //CPKIFRecipientInfoPtr newCert(new CPKIFRecipientInfo(*ri));
                CPKIFRecipientInfoPtr newCert(new CPKIFRecipientInfo(riBuf));
                nonConstED->m_impl->m_recipientInfos.push_back(newCert);
            }
            catch(...)
            {
                nonConstED->m_impl->m_recipientInfos.clear();
                throw;
            }
    
            iter = iter->next;
        }
    }

    copy(m_impl->m_recipientInfos.begin(), m_impl->m_recipientInfos.end(), back_inserter(recipInfos));
}
void CPKIFEnvelopedData::SetPathSettings(
    CPKIFPathSettingsPtr& settings) 
{
    //do accept NULLs - so previously set custom settings can be replaced by defaults
    m_impl->m_settings = settings;
}

//*****************************************************************************
//  encode and decode functions
//*****************************************************************************
CPKIFBufferPtr CPKIFEnvelopedData::Encode()
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::Encode()", TOOLKIT_CRYPTO_MISC, 0, this);

    //All memory allocations in this function are decoration of PKIFCMSMessageMemoryHelper.  If an
    //allocation fails we let the caller catch bad_alloc.  The destructor for PKIFCMSMessageMemoryHelper
    //will handle all cleanup.

    //create a memory helper object containing an enveloped data structure
    PKIFCMSMessageMemoryHelper mhEnvelopedData;
    mhEnvelopedData.pEnvelopedData = new CACCMSEnvelopedData;
    memset(mhEnvelopedData.pEnvelopedData, 0, sizeof(CACCMSEnvelopedData));

    //initialize this to 0 - it will be updated as necessary by one or more of the following calls
    //initialization unecessary thanks to memset above but for clarity...
    mhEnvelopedData.pEnvelopedData->version = CACCMSv0;

    //prepare the originator info if present, i.e. certs and crls
    m_impl->PrepareOriginatorInfo(mhEnvelopedData.pEnvelopedData);

    //next, encrypt the content.  pass a buffer to receive the key material
    //so we can use it below when preparing the recip infos
    unsigned char* keyData = NULL;  int keyDataLen = 0;
    try
    {
        //prepare the encrypted content  
        if(m_impl->m_dataToEncrypt != (CPKIFEncryptedContentInfo*)NULL && 
            (!m_impl->m_recipients.empty() || !m_impl->m_keks.empty() /*|| !m_impl->m_karis.empty()*/))
        {
            //if data to encrypt is specified then encrypt it using the specified key
            //and create the necessary pieces of EncryptedData
            m_impl->PrepareEncryptedContent(mhEnvelopedData.pEnvelopedData, &keyData, &keyDataLen);

            //prepare the recipient infos using the key material generated in the call above
            m_impl->PrepareRecipientInfos(mhEnvelopedData.pEnvelopedData, keyData, keyDataLen);

            //overwrite then delete the key
            memset(keyData, 0, keyDataLen); delete[] keyData; keyData = NULL;
        }
        else
        {
            //if data to encrypt is not specified then see if there's a copy of decoded encrypted content
            //to use (i.e. we're re-encoding after adding an unprotected attribute to an object for which 
            //we may not even possess the decryption key).
            if(NULL == m_impl->m_envelopedData || NULL == m_impl->m_envelopedData->data() ||
                0 == (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts)
                throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "No data to encrypt available.");

            CopyOID(&mhEnvelopedData.pEnvelopedData->encryptedContentInfo.contentType, &(*m_impl->m_envelopedData)->encryptedContentInfo.contentType);
            CopyOID(&mhEnvelopedData.pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.algorithm, &(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm);
            mhEnvelopedData.pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent = (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent;
            if((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent)
            {
                mhEnvelopedData.pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data = new unsigned char[(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts];
                memcpy((void*)mhEnvelopedData.pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts);
                mhEnvelopedData.pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts = (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts;
            }
            
            mhEnvelopedData.pEnvelopedData->encryptedContentInfo.m.encryptedContentPresent = 1;
            mhEnvelopedData.pEnvelopedData->encryptedContentInfo.encryptedContent.data = new unsigned char[(*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts];
            memcpy((void*)mhEnvelopedData.pEnvelopedData->encryptedContentInfo.encryptedContent.data, (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.data, (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts);
            mhEnvelopedData.pEnvelopedData->encryptedContentInfo.encryptedContent.numocts = (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts;

            //prepare the recipient infos using the key material generated in the call above
            m_impl->PrepareRecipientInfos(mhEnvelopedData.pEnvelopedData, NULL, 0);
        }
    }
    catch(...)
    {
        //catch any exception - then clean up the key - then throw the exception
        if(keyData)
        {
            memset(keyData, 0, keyDataLen); delete[] keyData; keyData = NULL;
        }
        throw;
    }
    
    //make a call to do something we don't yet support
    mhEnvelopedData.pEnvelopedData->m.unprotectedAttrsPresent = 0;
    {//begin unsigned attribute block

        //get all attributes (either by parsing a decoded object or by accessing a previously constructed list)
        CPKIFAttributeList sas;
        GetUnprotectedAttributes(sas);

        if(!sas.empty())
        {
            //create Objective representations of each attribute...
            SetupAttributesInObjectiveStructure(sas, mhEnvelopedData.pEnvelopedData->unprotectedAttrs);

            //then set the flag indicating attributes are present and set the version number
            mhEnvelopedData.pEnvelopedData->m.unprotectedAttrsPresent = 1;
            mhEnvelopedData.pEnvelopedData->version = CACCMSv2;
        }
    }//end unsigned attribute block

    //prepare an ASN 1 object then produce the encoded result
    CACASNWRAPPER_CREATE(CACCMSEnvelopedData, objPDU);
    ASN1OpenType* data1 = NULL;
        
    try
    {
        data1 = objPDU.Encode(mhEnvelopedData.pEnvelopedData);
    }
    catch(...)
    {
        m_impl->RemoveRecipInfos(mhEnvelopedData.pEnvelopedData);
        throw;
    }

    m_impl->RemoveRecipInfos(mhEnvelopedData.pEnvelopedData);

    try
    {
        //copy the buffer info a buffer ptr to be returned to the caller
        CPKIFBufferPtr tmp(new CPKIFBuffer((unsigned char*)data1->data, data1->numocts));
        delete data1; data1 = NULL;
        return tmp;
    }
    catch(std::bad_alloc& ba)
    {
        if(data1)
            delete data1;
        throw ba;
    }
}
void CPKIFEnvelopedData::Decode(
    CPKIFBufferPtr& buf)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::Decode(CPKIFBufferPtr& buf)", TOOLKIT_CRYPTO_MISC, 0, this);

    //if the input is empty - fail now
    if(buf == (CPKIFBuffer*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    try
    {
        //otherwise attempt to decode the buffer into the member enveloped data structure
        (*m_impl->m_envelopedData).Decode(buf->GetBuffer(), buf->GetLength());

        m_impl->m_decodeBuf = buf;

        if(CACCMSv2 == (*m_impl->m_envelopedData)->version)
            m_impl->m_version = CPKIFEnvelopedData::CMSv2;
        else
            m_impl->m_version = CPKIFEnvelopedData::CMSv0;
    }
    catch(CPKIFException& e)
    {
        unsigned char * decoded = NULL;
        unsigned long decodedLen;
        bool b = PEMDecode((char *)buf->GetBuffer(), &decoded, &decodedLen);
        if(b)
        {
            try
            {
                (*m_impl->m_envelopedData).InitContext();
                (*m_impl->m_envelopedData).Decode(decoded, decodedLen);

                CPKIFBufferPtr tmp(new CPKIFBuffer(decoded, decodedLen));
                m_impl->m_decodeBuf = tmp;

                if(CACCMSv2 == (*m_impl->m_envelopedData)->version)
                    m_impl->m_version = CPKIFEnvelopedData::CMSv2;
                else
                    m_impl->m_version = CPKIFEnvelopedData::CMSv0;

                if(NULL != decoded)
                    delete decoded;

            }catch(CPKIFException& e)
            {
                if(NULL != decoded)
                    delete decoded;

                CPKIFMessageException me(thisComponent, MSG_DECODE_FAILED);
                me.push_info(e);
                //delete e;
                throw me;
            }
        }
        else
        {
            CPKIFMessageException me(thisComponent, MSG_DECODE_FAILED);
            me.push_info(e);
            throw me;
        }
    }
}

//*****************************************************************************
//  miscellaneous functions
//*****************************************************************************
CPKIFBufferPtr CPKIFEnvelopedData::Decrypt(
    CPKIFKEKRecipInfoDetailsPtr& kek)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::Decrypt(CPKIFKEKRecipInfoDetailsPtr& kek)", TOOLKIT_CRYPTO_MISC, 0, this);

    //*****************************************************************
    //  sanity check the inputs
    //      - need to have data to decrypt, a kek and an available 
    //  IPKIFCryptoRawOperations interface.
    //*****************************************************************
    IPKIFCryptoRawOperations* cRaw = GetMediator()->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    if(kek == (CPKIFKEKRecipInfoDetails*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "No KEK passed to Decrypt function.");

    if(NULL == m_impl->m_envelopedData || NULL == m_impl->m_envelopedData->data())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "No data to decrypt available.");

    //*****************************************************************
    //  prepare the decrypted content info output
    //*****************************************************************
    //decrypt symmetric key
    CPKIFKeyMaterialPtr key = GetSymmetricKey(kek, cRaw, &(*m_impl->m_envelopedData)->recipientInfos);
    if(key == (CPKIFKeyMaterial*)NULL)
        throw CPKIFMessageException(thisComponent, MSG_SYMKEY_DECRYPT_FAILED, "Failed to successfully find and decrypt necessary key material.");

    //having successfully decrypted the key - determine the algorithm and mode
    CPKIFAlgorithm * pkifAlg = GetCACSymAlg(&(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm);

    if(!pkifAlg)
        throw CPKIFMessageException(thisComponent, COMMON_UNSUPPORTED_ALG, "Unsupported content encryption algorithm.");

    //set the alg and mode on the key material object
    key->SetSymmetricKeyAlgorithm(pkifAlg->SymkeyAlg());
    key->SetMode(pkifAlg->SymkeyMode());

    //see if we need to crack an IV out of the alg params
    if(pkifAlg->NeedsIV())
    {
        //understanding that we need an IV, see if one is actually present
        if(!(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent)
        {
            throw CPKIFMessageException(thisComponent, MSG_MISSING_PARAMS, "Content encryption mode requires an IV and no IV is present.");
        }
        else
        {
            //understanding that we need an IV and that one is present, decode the octet string that contains the IV
            OOCTXT ctxt;
            initContext (&ctxt);
            setBERDecBufPtr(&ctxt, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts, NULL, NULL);

            unsigned char* iv = NULL;
            unsigned int ivLen = (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts;

            int stat = decodeDynOctStr (&ctxt, (const OSOCTET* *)&iv, (OSUINT32 *)&ivLen, ASN1EXPL, ivLen);
            if (stat != ASN_OK)
            {
                //clean up the context
                //freeEncodeBuffer(&ctxt);
                //memFreeAll(&ctxt);
                freeContext(&ctxt);

                throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, ASN1_DECODE_ERROR, "Failed to decode IV value");
            }

            key->SetIV(iv, ivLen);

            //clean up the context
            //freeEncodeBuffer(&ctxt);
            //memFreeAll(&ctxt);
            freeContext(&ctxt);
        }
    }

    //allocate a buffer to receive the decrypted content - throw bad_alloc
    int nResultLen = (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts;
    unsigned char* pResult = new unsigned char[nResultLen];

    try
    {
        cRaw->Decrypt(*key, (unsigned char*)(*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.data, (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts, pResult, &nResultLen);
    }
    catch(...)
    {
        //throw any exception - but first clean up pResult
        if(pResult)
            delete[] pResult;

        throw;
    }

    CPKIFBuffer* pTmpBP = NULL;
    try
    {
        pTmpBP = new CPKIFBuffer(true, pResult, nResultLen);
    }
    catch(std::bad_alloc& ba)
    {
        if(pResult)
            delete[] pResult;

        throw ba;
    }

    CPKIFBufferPtr tmpBP(pTmpBP);

    //having decrypted the content, prepare the pieces of an encrypted content info object and
    //store the results in m_dataToEncrypt
    CPKIFEncryptedContentInfoPtr tmpECIP(new CPKIFEncryptedContentInfo);
    CPKIFOIDPtr tmpECIP_OID(new CPKIFOID((*m_impl->m_envelopedData)->encryptedContentInfo.contentType.subid,
        (*m_impl->m_envelopedData)->encryptedContentInfo.contentType.numids));
    tmpECIP->SetOID(tmpECIP_OID);

        //CPKIFAlgorithmIdentifier creation
    CPKIFOIDPtr algOID(new CPKIFOID((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm.subid,
                        (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm.numids));
    
    CPKIFBufferPtr paramBuf;
    if((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent)
    {
        paramBuf = CPKIFBufferPtr(new CPKIFBuffer((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data,
                    (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts));
    
    
    }
    
    CPKIFAlgorithmIdentifierPtr tmpECIP_AlgID(new CPKIFAlgorithmIdentifier(algOID, paramBuf)); 

    //CPKIFAlgorithmIdentifierPtr tmpECIP_AlgID(new CPKIFAlgorithmIdentifier(*((CACX509V3AlgorithmIdentifier*)&(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm)));
    tmpECIP->SetAlgorithmIdentifier(tmpECIP_AlgID);

    tmpECIP->SetContent(tmpBP);
    m_impl->m_dataToEncrypt = tmpECIP;

    return tmpBP;
}
CPKIFBufferPtr CPKIFEnvelopedData::Decrypt(
    CPKIFCredentialPtr& cred)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::Decrypt(CPKIFCredentialPtr& cred)", TOOLKIT_CRYPTO_MISC, 0, this);

    //*****************************************************************
    //  sanity check the inputs
    //      - need to have data to decrypt and available 
    //  IPKIFCryptoRawOperations and IPKIFCryptoKeyIDOperations interfaces.
    //*****************************************************************
    if(NULL == m_impl->m_envelopedData || NULL == m_impl->m_envelopedData->data())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "No data to decrypt available.");


    if(NULL == GetMediator())
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    IPKIFCryptoKeyIDOperations* cKeyID = GetMediator()->GetMediator<IPKIFCryptoKeyIDOperations>();
    if(NULL == cKeyID)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoKeyIDOperations interface is not available.");

    IPKIFCryptoRawOperations* cRaw = GetMediator()->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    IPKIFCryptoKeyAgree* cKeyAgree = GetMediator()->GetMediator<IPKIFCryptoKeyAgree>();

    //*****************************************************************
    // if a credential was passed in, it will be used.  if not, then
    // an attempt will be made to discover the credential.  
    //*****************************************************************
    CPKIFCredentialPtr tmpCred = cred;
    if(tmpCred == (CPKIFCredential*)NULL)
    {
        //if no credential was passed in but a default key has been defined, it will be used
        IPKIFDefaultKeyManagement* cDefKeys = GetMediator()->GetMediator<IPKIFDefaultKeyManagement>();
        if(NULL != cDefKeys)
            tmpCred = cDefKeys->GetDefaultKey(PKIFCRYPTO::DECRYPTION);

        if(tmpCred == (CPKIFCredential*)NULL)
        {
            //if no cred has been passed nor declared as default then we'll look around and see
            //if we can find the proper credential
            try
            {
                tmpCred = AutoDiscoverDecryptionKey(cKeyID, &(*m_impl->m_envelopedData)->recipientInfos);
                if(tmpCred == (CPKIFCredential*)NULL)
                    throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "Failed to automatically discover the decryption key.");
            }
            catch(CPKIFException& e)
            {
                CPKIFMessageException me(thisComponent, COMMON_INVALID_INPUT, "Exception while trying to automatically discover the decryption key.");
                me.push_info(e);
                throw me;
            }
        }
    }

    //*****************************************************************
    //  prepare the decrypted content info output
    //*****************************************************************
    //decrypt symmetric key
    CPKIFKeyMaterialPtr key;
    if((*m_impl->m_envelopedData)->m.originatorInfoPresent)
        key = GetSymmetricKey(tmpCred, cKeyID, &(*m_impl->m_envelopedData)->recipientInfos, cKeyAgree, cRaw, &(*m_impl->m_envelopedData)->originatorInfo);
    else
        key = GetSymmetricKey(tmpCred, cKeyID, &(*m_impl->m_envelopedData)->recipientInfos, cKeyAgree, cRaw, NULL);
    if(key == (CPKIFKeyMaterial*)NULL)
        throw CPKIFMessageException(thisComponent, MSG_SYMKEY_DECRYPT_FAILED, "Failed to successfully find and decrypt necessary key material.");

    CPKIFAlgorithm * pkifAlg = GetCACSymAlg(&(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm);
    //having successfully decrypted the key - determine the algorithm and mode
    if(!pkifAlg)
        throw CPKIFMessageException(thisComponent, COMMON_UNSUPPORTED_ALG, "Unsupported content encryption algorithm.");

    //set the alg and mode on the key material object
    key->SetSymmetricKeyAlgorithm(pkifAlg->SymkeyAlg());
    key->SetMode(pkifAlg->SymkeyMode());

    //see if we need to crack an IV out of the alg params
    if(pkifAlg->NeedsIV())
    {
        //understanding that we need an IV, see if one is actually present
        if(!(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent)
        {
            throw CPKIFMessageException(thisComponent, MSG_MISSING_PARAMS, "Content encryption mode requires an IV and no IV is present.");
        }
        else
        {
            //understanding that we need an IV and that one is present, decode the octet string that contains the IV
            OOCTXT ctxt;
            initContext (&ctxt);
            setBERDecBufPtr(&ctxt, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts, NULL, NULL);

            unsigned char* iv = NULL;
            unsigned int ivLen = (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts;

            int stat = decodeDynOctStr (&ctxt, (const OSOCTET* *)&iv, (OSUINT32 *)&ivLen, ASN1EXPL, ivLen);
            if (stat != ASN_OK)
            {
                //clean up the context
                //freeEncodeBuffer(&ctxt);
                //memFreeAll(&ctxt);
                freeContext(&ctxt);

                throw CPKIFMessageException(TOOLKIT_MESSAGE_ASN, ASN1_DECODE_ERROR, "Failed to decode IV value");
            }

            key->SetIV(iv, ivLen);

            //clean up the context
            //freeEncodeBuffer(&ctxt);
            //memFreeAll(&ctxt);
            freeContext(&ctxt);
        }
    }

    //allocate a buffer to receive the decrypted content - throw bad_alloc
    int nResultLen = (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts;
    unsigned char* pResult = new unsigned char[nResultLen];

    try
    {
        cRaw->Decrypt(*key, (unsigned char*)(*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.data, (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts, pResult, &nResultLen);
    }
    catch(...)
    {
        //throw any exception - but first clean up pResult
        if(pResult)
            delete[] pResult;

        throw;
    }

    CPKIFBuffer* pTmpBP = NULL;
    try
    {
        pTmpBP = new CPKIFBuffer(true, pResult, nResultLen);
    }
    catch(std::bad_alloc& ba)
    {
        if(pResult)
            delete[] pResult;

        throw ba;
    }

    CPKIFBufferPtr tmpBP(pTmpBP);

    //having decrypted the content, prepare the pieces of an encrypted content info object and
    //store the results in m_dataToEncrypt
    CPKIFEncryptedContentInfoPtr tmpECIP(new CPKIFEncryptedContentInfo);
    CPKIFOIDPtr tmpECIP_OID(new CPKIFOID((*m_impl->m_envelopedData)->encryptedContentInfo.contentType.subid,
        (*m_impl->m_envelopedData)->encryptedContentInfo.contentType.numids));
    tmpECIP->SetOID(tmpECIP_OID);

        //CPKIFAlgorithmIdentifier creation
    CPKIFOIDPtr algOID(new CPKIFOID((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm.subid,
                        (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm.numids));
    
    CPKIFBufferPtr paramBuf;
    if((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent)
    {
        paramBuf = CPKIFBufferPtr(new CPKIFBuffer((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data,
                    (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts));
    
    
    }
    
    CPKIFAlgorithmIdentifierPtr tmpECIP_AlgID(new CPKIFAlgorithmIdentifier(algOID, paramBuf)); 
    //CPKIFAlgorithmIdentifierPtr tmpECIP_AlgID(new CPKIFAlgorithmIdentifier(*((CACX509V3AlgorithmIdentifier*)&(*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm)));
    tmpECIP->SetAlgorithmIdentifier(tmpECIP_AlgID);

    tmpECIP->SetContent(tmpBP);
    m_impl->m_dataToEncrypt = tmpECIP;

    return tmpBP;
}

//*****************************************************************************
//  miscellaneous private functions
//*****************************************************************************
void CPKIFEnvelopedDataImpl::PrepareEncryptedContent(
    CACCMSEnvelopedData* pEnvelopedData,
    unsigned char** keyData, 
    int* keyDataLen)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::PrepareEncryptedContent(CACCMSEnvelopedData* pEnvelopedData, unsigned char** keyData, int* keyDataLen)", TOOLKIT_CRYPTO_MISC, 0, this);

    //*****************************************************************
    //  sanity check the inputs
    //      - need to have data to decrypt and available 
    //  IPKIFCryptoRawOperations and IPKIFCryptoMisc interfaces.
    //*****************************************************************
    if(NULL == m_med)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    IPKIFCryptoMisc* cMisc = m_med->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");

    if(m_dataToEncrypt == (CPKIFEncryptedContentInfo*)NULL)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_INVALID_INPUT, "No data to encrypt is available.");

    IPKIFCryptoRawOperations* cRaw = m_med->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    //*****************************************************************
    //  prepare the encrypted content info output
    //*****************************************************************
    CPKIFStringPtr str(new std::string(m_dataToEncrypt->GetOID()->ToString())); 
    ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);
    CopyOID(&pEnvelopedData->encryptedContentInfo.contentType, tmpOid);
    if(tmpOid)
        delete tmpOid;
    //CopyOID(&pEnvelopedData->encryptedContentInfo.contentType, m_dataToEncrypt->GetOID()->raw());
    CPKIFAlgorithm * algInfo = CPKIFAlgorithm::GetAlg(m_alg,m_mode);
    CPKIFOIDPtr activeAlg = algInfo->OID();
    int keySize = algInfo->KeySize();
    int ivSize = algInfo->BlockSize();
    bool needIV = algInfo->NeedsIV();
    if(!activeAlg) throw CPKIFMessageException(m_parent->thisComponent, COMMON_UNSUPPORTED_ALG);

    CPKIFStringPtr secondStr(new std::string(activeAlg->ToString())); 
    ASN1OBJID* secondTmpOid = ConvertStringToASN1OBJID(secondStr);
    CopyOID(&pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.algorithm, secondTmpOid);
    if(secondTmpOid)
        delete secondTmpOid;
    //CopyOID(&pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.algorithm, activeAlg->raw());

    //throw bad_alloc (no need to clean this up here - once we hand it off the caller will clean it up)
    *keyData = new unsigned char[keySize];
    *keyDataLen = keySize;

    //generate a random content encryption key
    cMisc->GenRandom(*keyData, keySize);

    //set up a key material object with the key, alg and mode (IV will be added below if necessary)
    CPKIFKeyMaterial key;
    key.SetSymmetricKey(*keyData, *keyDataLen);
    key.SetSymmetricKeyAlgorithm(m_alg);
    key.SetMode(m_mode);

    const int maxBlock = (MAXBLOCK/8) + 1;
    if(needIV)
    {
        //generate a random IV
        unsigned char iv[maxBlock];
        cMisc->GenRandom(iv, ivSize);
        key.SetIV(iv, ivSize);

        //encode the IV as an octet string the the content enc alg parameters
        pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent = 1;
        EncodeIVAsOctetString(iv, ivSize, 
            (unsigned char**)&pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data, 
            (int*)&pEnvelopedData->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts);
    }

    //grab a pointer to the content to be encrypted
    CPKIFBufferPtr dataToEnc = m_dataToEncrypt->GetContent();

    //overallocate a buffer (the length will be adjusted down by the call to Encrypt)
    pEnvelopedData->encryptedContentInfo.encryptedContent.numocts = dataToEnc->GetLength() + maxBlock;
    pEnvelopedData->encryptedContentInfo.encryptedContent.data = new unsigned char[pEnvelopedData->encryptedContentInfo.encryptedContent.numocts];

    cRaw->Encrypt(key, (unsigned char*)dataToEnc->GetBuffer(), dataToEnc->GetLength(), 
        (unsigned char*)pEnvelopedData->encryptedContentInfo.encryptedContent.data, (int*)&pEnvelopedData->encryptedContentInfo.encryptedContent.numocts);

    pEnvelopedData->encryptedContentInfo.m.encryptedContentPresent = 1;
}
void CPKIFEnvelopedDataImpl::PrepareOriginatorInfo(
    CACCMSEnvelopedData* pEnvelopedData)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::PrepareOriginatorInfo(CACCMSEnvelopedData* pEnvelopedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //add any certs or crls that have been associated with this object (possibly zero)
    AddCerts(pEnvelopedData);
    AddCRLs(pEnvelopedData);

    //added following line 3/30/2004 - else orginator info was not being encoded
    pEnvelopedData->m.originatorInfoPresent = pEnvelopedData->originatorInfo.m.certsPresent || pEnvelopedData->originatorInfo.m.crlsPresent;
}
void CPKIFEnvelopedDataImpl::populateUnsignedAttributesVector(
    const CACCMSUnsignedAttributes& ua)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::populateUnsignedAttributesVector(const CACCMSUnsignedAttributes& ua)", TOOLKIT_CRYPTO_MISC, 0, this);

    //if we've already populated the extensions vector then return
    if(!m_unprotectedAttributes.empty())
        return;

    //if there are no extensions then return
    if(0 == ua.count)
    {
        m_unprotectedAttributes.clear();
        return;
    }

    //create an extensions mediator using the default extension colleagues and initialize it
    CPKIFCMSAttributeMediator2* mediator = CPKIFCMSAttributeMediator2::GetInstance();

    //iterate over the list of extensions and populate the extensions vector
    DListNode* cur = ua.head;
    for(unsigned int ii = 0; ii < ua.count; ++ii)
    {
        CACCMSAttribute* attr = (CACCMSAttribute*) cur->data;
        CPKIFOIDPtr oid(new CPKIFOID(attr->attrType.subid, attr->attrType.numids));
        CPKIFBufferPtr buf(new CPKIFBuffer(attr->attrValues.data, attr->attrValues.numocts));

        m_unprotectedAttributes.push_back(mediator->getAttribute(oid, buf));
        cur = cur->next;
    }
}
void CPKIFEnvelopedDataImpl::PrepareRecipientInfos(
    CACCMSEnvelopedData* pEnvelopedData,
    unsigned char* keyData, 
    int keyDataLen)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::PrepareRecipientInfos(CACCMSEnvelopedData* pEnvelopedData, ...", TOOLKIT_CRYPTO_MISC, 0, this);

    //*****************************************************************
    //  sanity check the inputs
    //      - need to have available IPKIFCryptoRawOperations and 
    //  IPKIFCryptoMisc interfaces.
    //*****************************************************************
    if(NULL == m_med)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    //This function prepares the recipient info fields, i.e. encrypts the key for each and builds the necessary structure
    IPKIFCryptoRawOperations* cRaw = m_med->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    //*****************************************************************
    //  iterate over the recipient infos
    //*****************************************************************
    //first, add any signer infos that were present in the decoded message
    if(NULL != m_envelopedData && NULL != (*m_envelopedData).data() && (*m_envelopedData)->recipientInfos.count > 0)
    {
        DListNode* cur = NULL;
        DListNode* existing = (*m_envelopedData)->recipientInfos.head;
        while(NULL != existing)
        {
            //throw bad_alloc
            if(NULL == cur)
            {
                NEW_NODE(cur)
            }
            else
            {
                NEW_NEXT_AND_ADVANCE(cur)
            }

            cur->data = existing->data;

            existing = existing->next;

            SET_HEAD_TAIL_INCREMENT(pEnvelopedData->recipientInfos, cur)
        }
    }

    DListNode* cur = NULL;
    CPKIFCertificateList::iterator pos;
    CPKIFCertificateList::iterator end = m_recipients.end();
    for(pos = m_recipients.begin(); end != pos; ++pos)
    {
        //create a list entry, set it to point to the recip. info created above...
        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        CACCMSRecipientInfo* tmpRI = NULL;

        try
        {
            tmpRI = new CACCMSRecipientInfo;
        
            //XXX-DEFER only doing key transport option for now
            tmpRI->t = 1;
            tmpRI->u.ktri = new CACCMSKeyTransRecipientInfo;
        }
        catch(std::bad_alloc& ba)
        {
            if(tmpRI)
            {
                if(tmpRI->u.ktri)
                    delete tmpRI->u.ktri;
                delete tmpRI;
            }

            throw ba;
        }

        //set the memory helper protected object to point to tmpRI so
        //that failures below this point will not cause leaks
        cur->data = (void*)tmpRI;

        //set Objective structures to point to values from various PKIF objects
        CPKIFSubjectPublicKeyInfoPtr spki = (*pos)->SubjectPublicKeyInfo();
        CPKIFAlgorithmIdentifierPtr spkiAlg = spki->alg();
        CPKIFOIDPtr spkiAlgOID = spkiAlg->oid();

        CPKIFStringPtr str(new std::string(spkiAlgOID->ToString())); 
        ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);
        CopyOID(&tmpRI->u.ktri->keyEncryptionAlgorithm.algorithm,tmpOid);
        if(tmpOid)
            delete tmpOid;
        //CopyOID(&tmpRI->u.ktri->keyEncryptionAlgorithm.algorithm,spkiAlgOID->raw());
        tmpRI->u.ktri->keyEncryptionAlgorithm.m.parametersPresent = 1;
        
        //assume RSA with NULL params
        tmpRI->u.ktri->keyEncryptionAlgorithm.parameters.data = nullParams;
        tmpRI->u.ktri->keyEncryptionAlgorithm.parameters.numocts = 2;

        //XXX-DEFER issDN and serial num for now (version will need changing if SKID is used)
        //      if skid is used the pEnvelopedData->version = CACCMSv2;
        tmpRI->u.ktri->version = CACCMSv0; 
        tmpRI->u.ktri->rid.t = 1;
        tmpRI->u.ktri->rid.u.issuerAndSerialNumber = new CACCMSIssuerAndSerialNumber;

        CPKIFNamePtr issuer = (*pos)->Issuer();

        CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
        CACX509V3Name *tmpName = NULL;
        CPKIFBufferPtr nameBuf = issuer->rawName();
        tmpName = objPDU.Decode(nameBuf->GetBuffer(), nameBuf->GetLength());
        CopyName(&tmpRI->u.ktri->rid.u.issuerAndSerialNumber->issuer, *tmpName);
        //tmpRI->u.ktri->rid.u.issuerAndSerialNumber->issuer = *tmpName;
        //tmpRI->u.ktri->rid.u.issuerAndSerialNumber->issuer = *issuer->rawName();
        tmpRI->u.ktri->rid.u.issuerAndSerialNumber->serialNumber = (*pos)->SerialNumber();
    
        //prepare a key material object with the cert for the current recipient
        CPKIFKeyMaterial km;
        CPKIFBufferPtr certBuf = (*pos)->Encoded();
        km.SetCertificate(certBuf->GetBuffer(), certBuf->GetLength());

        tmpRI->u.ktri->encryptedKey.data = new unsigned char[keyDataLen + 256];

        tmpRI->u.ktri->encryptedKey.numocts = keyDataLen + 256;

        try
        {
            cRaw->Encrypt(km, keyData, keyDataLen, (unsigned char*)tmpRI->u.ktri->encryptedKey.data, (int*)&tmpRI->u.ktri->encryptedKey.numocts);
        }
        catch(CPKIFException& e)
        {
            //XXX-DEFER would we rather create the message for all possible recipients 
            //          or fail the entire message? for now fail all
            throw e;
        }

        SET_HEAD_TAIL_INCREMENT(pEnvelopedData->recipientInfos, cur)
    }

    CPKIFKEKRecipInfoDetailsList::iterator kekPos;
    CPKIFKEKRecipInfoDetailsList::iterator kekEnd = m_keks.end();
    for(kekPos = m_keks.begin(); kekPos != kekEnd; ++kekPos)
    {
        //continue using the same cur variable so the list is properly formed
        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        CACCMSRecipientInfo* tmpRI = NULL;

        try
        {
            tmpRI = new CACCMSRecipientInfo;
            tmpRI->t = T_CACCMSRecipientInfo_kekri;
            tmpRI->u.kekri = new CACCMSKEKRecipientInfo;
            memset(tmpRI->u.kekri, 0, sizeof(CACCMSKEKRecipientInfo));
        }
        catch(std::bad_alloc& ba)
        {
            if(tmpRI)
            {
                if(tmpRI->u.kekri)
                    delete tmpRI->u.kekri;
                delete tmpRI;
            }

            throw ba;
        }

        //set the memory helper protected object to point to tmpRI so
        //that failures below this point will not cause leaks
        cur->data = (void*)tmpRI;

        CPKIFBufferPtr keyID = (*kekPos)->GetKeyIdentifier();
        tmpRI->u.kekri->kekid.keyIdentifier.data = keyID->GetBuffer();
        tmpRI->u.kekri->kekid.keyIdentifier.numocts = keyID->GetLength();

        //encrypt data
        CPKIFOIDPtr activeAlg;
        int keySize = 0, ivSize = 0;
        bool needIV = false;
        CPKIFKeyMaterialPtr curKey = (*kekPos)->GetKEK();
        if(PKIFCRYPTO::TDES == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::CBC == curKey->GetMode())
        {
            activeAlg = g_tdesCBC;
            keySize = 24;
            needIV = true;
            ivSize = 8;
        }
        else if(PKIFCRYPTO::DES == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::CBC == curKey->GetMode())
        {
            activeAlg = g_desCBC;
            keySize = 8;
            needIV = true;
            ivSize = 8;
        }
        else if(PKIFCRYPTO::DES == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::ECB == curKey->GetMode())
        {
            activeAlg = g_desECB;
            keySize = 8;
            needIV = false;
        }
        else if(PKIFCRYPTO::AES == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::ECB == curKey->GetMode())
        {
            activeAlg = g_aes128ECB;
            keySize = 16;
            needIV = false;
        }
        else if(PKIFCRYPTO::AES == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::CBC == curKey->GetMode())
        {
            activeAlg = g_aes128CBC;
            keySize = 16;
            needIV = true;
            ivSize = 16;
        }
        else if(PKIFCRYPTO::AES128 == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::ECB == curKey->GetMode())
        {
            activeAlg = g_aes128ECB;
            keySize = 16;
            needIV = false;
        }
        else if(PKIFCRYPTO::AES128 == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::CBC == curKey->GetMode())
        {
            activeAlg = g_aes128CBC;
            keySize = 16;
            needIV = true;
            ivSize = 16;
        }
        else if(PKIFCRYPTO::AES192 == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::ECB == curKey->GetMode())
        {
            activeAlg = g_aes192ECB;
            keySize = 24;
            needIV = false;
        }
        else if(PKIFCRYPTO::AES192 == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::CBC == curKey->GetMode())
        {
            activeAlg = g_aes192CBC;
            keySize = 24;
            needIV = true;
            ivSize = 16;
        }
        else if(PKIFCRYPTO::AES256 == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::ECB == curKey->GetMode())
        {
            activeAlg = g_aes256ECB;
            keySize = 32;
            needIV = false;
        }
        else if(PKIFCRYPTO::AES256 == curKey->GetSymmetricKeyAlgorithm() && PKIFCRYPTO::CBC == curKey->GetMode())
        {
            activeAlg = g_aes256CBC;
            keySize = 32;
            needIV = true;
            ivSize = 16;
        }
        else
            throw CPKIFMessageException(m_parent->thisComponent, COMMON_UNSUPPORTED_ALG);

        CPKIFStringPtr str(new std::string(activeAlg->ToString())); 
        ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);
        CopyOID(&tmpRI->u.kekri->keyEncryptionAlgorithm.algorithm, tmpOid);
        if(tmpOid)
            delete tmpOid;
        //CopyOID(&tmpRI->u.kekri->keyEncryptionAlgorithm.algorithm, activeAlg->raw());

        if(needIV)
        {
            IPKIFCryptoMisc* cMisc = m_med->GetMediator<IPKIFCryptoMisc>();
            if(NULL == cMisc)
                throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");

            unsigned char iv[MAXBLOCK];
            cMisc->GenRandom(iv, ivSize);
            curKey->SetIV(iv, ivSize);

            tmpRI->u.kekri->keyEncryptionAlgorithm.m.parametersPresent = 1;

            EncodeIVAsOctetString(iv, ivSize, 
                (unsigned char**)&tmpRI->u.kekri->keyEncryptionAlgorithm.parameters.data, 
                (int*)&tmpRI->u.kekri->keyEncryptionAlgorithm.parameters.numocts);
        }

        tmpRI->u.kekri->version = CACCMSv4; //always set to 4 per RFC3369
        tmpRI->u.kekri->encryptedKey.data = new unsigned char[keyDataLen + 256];
        tmpRI->u.kekri->encryptedKey.numocts = keyDataLen + 256;

        try
        {
            cRaw->Encrypt(*curKey, keyData, keyDataLen, (unsigned char*)tmpRI->u.kekri->encryptedKey.data, (int*)&tmpRI->u.kekri->encryptedKey.numocts);
        }
        catch(CPKIFException& e)
        {
            //XXX-DEFER would we rather create the message for all possible recipients 
            //          or fail the entire message? for now fail all
            throw e;
        }

        SET_HEAD_TAIL_INCREMENT(pEnvelopedData->recipientInfos, cur)
    }
    
    //CPKIFKARIDetailsList::iterator kariPos;
    //CPKIFKARIDetailsList::iterator kariEnd = m_karis.end();
    //for(kariPos = m_karis.begin(); kariPos != kariEnd; ++kariPos)
    //{
    //  //continue using the same cur variable so the list is properly formed
    //  if(NULL == cur)
    //  {
    //      NEW_NODE(cur)
    //  }
    //  else
    //  {
    //      NEW_NEXT_AND_ADVANCE(cur)
    //  }

    //  CACCMSRecipientInfo* tmpRI = NULL;

    //  try
    //  {
    //      tmpRI = new CACCMSRecipientInfo;
    //      tmpRI->t = T_CACCMSRecipientInfo_kari;
    //      tmpRI->u.kari = new CACCMSKeyAgreeRecipientInfo;
    //      memset(tmpRI->u.kari, 0, sizeof(CACCMSKeyAgreeRecipientInfo));
    //  }
    //  catch(std::bad_alloc& ba)
    //  {
    //      if(tmpRI)
    //      {
    //          if(tmpRI->u.kekri)
    //              delete tmpRI->u.kekri;
    //          delete tmpRI;
    //      }

    //      throw ba;
    //  }

    //  //set the memory helper protected object to point to tmpRI so
    //  //that failures below this point will not cause leaks
    //  cur->data = (void*)tmpRI;
    //  (*kariPos)->SetCEK(keyData,keyDataLen);
    //  CPKIFBufferPtr encBuf = (*kariPos)->Encoded(m_cred);
    //  if(!encBuf) {
    //      throw CPKIFMessageException(m_parent->thisComponent,MSG_ENCODE_FAILED);
    //  }
    //  CACASNWRAPPER_CREATE(CACCMSKeyAgreeRecipientInfo, kariWrapper);
    //  CACCMSKeyAgreeRecipientInfo * kariDec = kariWrapper.Decode(encBuf->GetBuffer(), encBuf->GetLength());
    //  memcpy(tmpRI->u.kari,kariDec,sizeof(CACCMSKeyAgreeRecipientInfo));
    //  SET_HEAD_TAIL_INCREMENT(pEnvelopedData->recipientInfos, cur)
    //}
}
void CPKIFEnvelopedDataImpl::AddCerts(
    CACCMSEnvelopedData* pEnvelopedData)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddCerts(CACCMSEnvelopedData* pEnvelopedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //if no certs have been associated with this instance return now
    if(m_certificates.empty())
        return;

    //else initialize the list and update the version info
    pEnvelopedData->originatorInfo.certs.count = 0;
    pEnvelopedData->originatorInfo.m.certsPresent = 1;
    pEnvelopedData->version = CACCMSv2;

    //This function will put any certs held in the m_certificates member (i.e. those added via the 
    //AddCertificate function) into the CACCMSEnvelopedData structure passed in
    DListNode* cur = NULL;
    CPKIFCertificateList::iterator certPos; 
    CPKIFCertificateList::iterator certEnd = m_certificates.end();
    for(certPos = m_certificates.begin(); certPos != certEnd; ++certPos)
    {
        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        //throw bad_alloc - memory will be cleaned by the memory helper object
        //into which things have been allocated
        CACCMSCertificateChoices* tmpChoice = new CACCMSCertificateChoices;
        tmpChoice->t = T_CACCMSCertificateChoices_certificate;
        tmpChoice->u.certificate = new ASN1OpenType;
        
        //certs were screened when added to make sure the encoded buffer existed
        tmpChoice->u.certificate->data = (*certPos)->Encoded()->GetBuffer();
        tmpChoice->u.certificate->numocts = (*certPos)->Encoded()->GetLength();
        
        cur->data = tmpChoice;

        SET_HEAD_TAIL_INCREMENT(pEnvelopedData->originatorInfo.certs, cur)
    }   
}

void CPKIFEnvelopedDataImpl::AddCRLs(
    CACCMSEnvelopedData* pEnvelopedData)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::AddCRLs(CACCMSEnvelopedData* pEnvelopedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //if no crls have been associated with this instance return now
    if(m_crls.empty())
        return;

    //else initialize the list and update the version info
    pEnvelopedData->originatorInfo.crls.count = 0;
    pEnvelopedData->originatorInfo.m.crlsPresent = 1;
    pEnvelopedData->version = CACCMSv2;

    //This function will put any CRLs held in the m_crls member (i.e. those added via the 
    //AddCRL function) into the CACCMSEnvelopedData structure passed in
    DListNode* cur = NULL;
    CPKIFCRLList::iterator crlPos;  
    CPKIFCRLList::iterator crlEnd = m_crls.end();
    for(crlPos = m_crls.begin(); crlPos != crlEnd; ++crlPos)
    {
        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        //throw bad_alloc - memory will be cleaned by the memory helper object
        //into which things have been allocated
        CACCMSRevocationInfoChoice* revChoice = new CACCMSRevocationInfoChoice;
        revChoice->t = T_CACCMSRevocationInfoChoice_crl;
        revChoice->u.crl = new ASN1OpenType;

        //crls were screened when added to make sure the encoded buffer existed
        revChoice->u.crl->data = (*crlPos)->Encoded()->GetBuffer();
        revChoice->u.crl->numocts = (*crlPos)->Encoded()->GetLength();

        cur->data = revChoice;

        SET_HEAD_TAIL_INCREMENT(pEnvelopedData->originatorInfo.crls, cur)
    }   
}
void CPKIFEnvelopedDataImpl::RemoveRecipInfos(
    CACCMSEnvelopedData* envelopedData)
{
    LOG_STRING_DEBUG("CPKIFEnvelopedData::RemoveRecipInfos(CACCMSEnvelopedData* envelopedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //the purpose of this function is to disassociate previously existing recip info objects from
    //newly created recip info objects so we don't end up freeing things twice.  essentially, the
    //recip infos from a decoded message are temporarily patched into the recip info list of a
    //newly encoded message and must be removed before the memory helper object fires.
    if(NULL != m_envelopedData && NULL != (*m_envelopedData).data() && (*m_envelopedData)->recipientInfos.count)
    {
        //added tmp stuff 11/11/2003
        DListNode* cur = envelopedData->recipientInfos.head, *tmp = NULL;
        for(unsigned int ii = 0; ii < (*m_envelopedData)->recipientInfos.count && NULL != cur; ++ii, --envelopedData->recipientInfos.count)
        {
            tmp = cur;
            cur = cur->next;
            delete tmp;
        }
        envelopedData->recipientInfos.head = cur;
    }
}
void CPKIFEnvelopedData::GetEncodedUnprotectedAttributes (
    CPKIFBufferPtr& buf) {
  try
  {
    if (NULL != m_impl->m_envelopedData && NULL != m_impl->m_envelopedData->data() 
      && (*m_impl->m_envelopedData)->m.unprotectedAttrsPresent)
    {
      CACASNWRAPPER_CREATE(CACCMSUnprotectedAttributes, attrWrapper);
      ASN1OpenType *data = attrWrapper.Encode (&(*m_impl->m_envelopedData)->unprotectedAttrs);
      CPKIFBufferPtr tmp(new CPKIFBuffer(data->data, data->numocts));
      buf = tmp;
      delete data;
      return;
    }
  } 
  catch (...)
  {
  }

  CPKIFBufferPtr nullExt;
  buf = nullExt;
}
void CPKIFEnvelopedData::_GetUnprotectedAttributes(
    std::vector<CPKIFAttributePtr> attrVector)
{
    CPKIFCMSAttributeMediator2* mediator = CPKIFCMSAttributeMediator2::GetInstance();
    this->IPKIFHasAttributes::GetUnprotectedAttributes(mediator, attrVector);
}
void CPKIFEnvelopedData::GetAddedUnprotectedAttributes(
    std::vector<CPKIFAttributePtr>& attr)
{
  CPKIFAttributeList::iterator pos;
  CPKIFAttributeList::iterator end = m_impl->m_unprotectedAttributes.end();
  for (pos = m_impl->m_unprotectedAttributes.begin(); pos != end; pos++)
  {
    attr.push_back (*pos);
  }
}
CPKIFEncryptedContentInfoPtr CPKIFEnvelopedData::GetEncryptedData() const
{
    if(m_impl->m_dataToEncrypt == (CPKIFEncryptedContentInfo*)NULL)
    {
        CPKIFEncryptedContentInfoPtr tmpECIP(new CPKIFEncryptedContentInfo());

        //content type is required so if we get here then we have one (if there wasn't one we'd've failed in the parser)
        //throw bad_alloc or CPKIFException
        CPKIFOIDPtr tmpOID(new CPKIFOID((*m_impl->m_envelopedData)->encryptedContentInfo.contentType.subid, (*m_impl->m_envelopedData)->encryptedContentInfo.contentType.numids));
        tmpECIP->SetOID(tmpOID);

        //actual content is optional - add it to the object if it's there...
        if((*m_impl->m_envelopedData)->encryptedContentInfo.m.encryptedContentPresent)
        {
            //throw bad_alloc
            CPKIFBufferPtr tmpBuf(new CPKIFBuffer((*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.data, (*m_impl->m_envelopedData)->encryptedContentInfo.encryptedContent.numocts));
            tmpECIP->SetContent(tmpBuf);
        }

        CPKIFOIDPtr tmpContentAlgOID(new CPKIFOID((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm.subid, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.algorithm.numids));
        CPKIFBufferPtr tmpParams;
        if((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.m.parametersPresent)
        {
            CPKIFBufferPtr newBuf(new CPKIFBuffer((*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.data, (*m_impl->m_envelopedData)->encryptedContentInfo.contentEncryptionAlgorithm.parameters.numocts));
            tmpParams = newBuf;
        }
        
        CPKIFAlgorithmIdentifierPtr contentAlg(new CPKIFAlgorithmIdentifier(tmpContentAlgOID, tmpParams));
        tmpECIP->SetAlgorithmIdentifier(contentAlg);

        //save the new ecip
        CPKIFEnvelopedData* nonConst = const_cast<CPKIFEnvelopedData*>(this);
        nonConst->m_impl->m_dataToEncrypt = tmpECIP;
    }

    return m_impl->m_dataToEncrypt;
}