PKIFPathValidator2.cpp

Go to the documentation of this file.

#include "PKIFPathValidator2.h"

#include "ToolkitUtils.h"
#include "IPKIFCryptoRawOperations.h"
#include "IPKIFCryptoMisc.h"
#include "PKIFFuncStorage.h"
#include "PKIFRevocationStatusInterfaces.h"
#include "PKIFMediators.h"
#include "PKIFX509Extensions2.h"

#include "PKIFErrors.h"
#include "PKIFPathException.h"
#include "PKIFCertificatePath.h"
#include "PKIFPathSettings.h"
#include "BasicChecksUtils.h"
#include "CRLEntry.h"

#include "PKIFTrustRoot.h"
#include "Certificate.h"
#include "PKIFCertStatus.h"
#include "PathResults.h"
#include "PKIFCertificateNodeEntry.h"
#include "PKIFPathBasicChecks2.h"
#include "NameConstraints.h"
#include "InhibitAnyPolicy.h"
#include "PolicyConstraints.h"
#include "BasicConstraints.h"
#include "GeneralSubtree.h"
#include "PolicyInformationSet.h"
#include "PolicyInformation.h"

using boost::dynamic_pointer_cast;

struct CPKIFPathValidator2Impl
{
    CPKIFFuncStoragePtr m_funcs;
    bool m_deleteFunctor;
    bool m_bEnforceTrustAnchorConstraints;
};

CPKIFPathValidator2::CPKIFPathValidator2():m_impl (new CPKIFPathValidator2Impl)
{
    m_impl->m_deleteFunctor = false;
    m_impl->m_bEnforceTrustAnchorConstraints = false;
}
void CPKIFPathValidator2::SetAdditionalCertificateChecks(
    CPKIFFuncStoragePtr& funcs) 
{ 
    LOG_STRING_DEBUG("CPKIFPathValidator2", TOOLKIT_PATH_VALIDATOR, 0, this);

    //XXX-DEFER Should develop a means of accumulating functors or otherwise manipulating the list.
    //          Possibly the interim addition of a "this call only" functor parameter to the validate call will suffice.
    m_impl->m_funcs = funcs; 
}

CPKIFPathValidator2::~CPKIFPathValidator2(void)
{
    LOG_STRING_DEBUG("CPKIFPathValidator2", TOOLKIT_PATH_VALIDATOR, 0, this);
    delete m_impl;
    m_impl = 0;
}

void CPKIFPathValidator2::Initialize() 
{
    LOG_STRING_DEBUG("CPKIFPathValidator2", TOOLKIT_PATH_VALIDATOR, 0, this);
}

bool CPKIFPathValidator2::ValidatePath(
    CPKIFCertificatePath& path, 
    CPKIFPathValidationResults& results,
    CPKIFFuncStoragePtr& thisCallOnlyFuncs)
{
    LOG_STRING_DEBUG("CPKIFPathValidator2", TOOLKIT_PATH_VALIDATOR, 0, this);

    IPKIFCryptoRawOperations* crypto = GetMediatorFromParent<IPKIFCryptoRawOperations>();
    IPKIFCryptoMisc* cryptoMisc = GetMediatorFromParent<IPKIFCryptoMisc>();
    if(NULL == crypto || NULL == cryptoMisc)
        throw CPKIFPathException(thisComponent,COMMON_MEDIATOR_MISSING,"One or both of the IPKIFCryptoRawOperations and IPKIFCryptoMisc interfaces was not available.");

    bool pathGood = false;

    IPKIFTrustAnchorPtr root;
    //IPKIFNameAndKey* targetCertNK = NULL, *rootCertNK = NULL;
    IPKIFNameAndKeyPtr targetCertNK, rootCertNK;
    CPKIFCertificatePtr targetCert;
    path.GetTarget(targetCert);
    path.GetTrustRoot(root);
    if(root == (CPKIFTrustRoot*)NULL)
        throw CPKIFPathException(thisComponent,COMMON_INVALID_INPUT,"The path has no trust root.");

    rootCertNK = boost::dynamic_pointer_cast<IPKIFNameAndKey, IPKIFTrustAnchor>(root);
    //rootCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*(root)));
    targetCertNK = boost::dynamic_pointer_cast<IPKIFNameAndKey, CPKIFCertificate>(targetCert);
    //targetCertNK = dynamic_cast<IPKIFNameAndKey*>(&(*(targetCert)));

    CPKIFCertificateNodeList certs;
    path.GetPath(certs);

    //MOVED THIS UP HERE FROM DOWN BELOW - 04/04/2003 (to handle non-self-signed trust anchors)
    //if the target is a trust root then return true now
    if(*rootCertNK == *targetCertNK && 1 == certs.size())
    {
        CPKIFCertStatusPtr newStatus(new CPKIFCertStatus);
        newStatus->SetIsTrustAnchor(true);
        results.SetCertStatus(newStatus);
        results.SetTargetIsTrustAnchor(true);
        results.SetRevocationStatusMostSevere(NOT_REVOKED);
        results.SetTrustAnchor(root);

        //need to include the status on the target cert in the path too (4/16/2003 - CRW)
        certs[0]->SetStatus(newStatus);

        return true;
    }

    //-----------------------------------------------------------------
    //from section 3.1
    //enforceTrustAnchorConstraints: indicates if trust anchor
    //constraints should be enforced
    //-----------------------------------------------------------------
    if(m_impl->m_bEnforceTrustAnchorConstraints)
    {
        //-----------------------------------------------------------------
        //from section 3.2
        //If no subject distinguished name is associated with the trust
        //anchor, path validation fails.  The name may appear in the subject
        //field of a Certificate or TBSCertificate structure or in the
        //taName field of CertPathControls in a TrustAnchorInfo structure.
        //-----------------------------------------------------------------

        //Nothing to do relative to the subject name requirement.  Path discovery will not return a TA that has no name.

        //declare variables to receive configuration information from TA
        CPKIFPolicyInformationSetPtr pis;
        CPKIFNameConstraintsPtr nc;
        CPKIFInhibitAnyPolicyPtr iap;
        CPKIFPolicyConstraintsPtr pc;
        CPKIFBasicConstraintsPtr bc;

        //harvest the data from the TA
        IPKIFTrustAnchorPtr ta;
        path.GetTrustRoot(ta);

        IPKIFHasExtensionsPtr hep = dynamic_pointer_cast<IPKIFHasExtensions, IPKIFTrustAnchor>(ta);
        if(hep)
        {
            pis = hep->GetExtension<CPKIFPolicyInformationSet>();
            nc = hep->GetExtension<CPKIFNameConstraints>();
            iap = hep->GetExtension<CPKIFInhibitAnyPolicy>();
            pc = hep->GetExtension<CPKIFPolicyConstraints>();
            bc = hep->GetExtension<CPKIFBasicConstraints>();
        }

        std::vector<CPKIFX509ExtensionPtr> exts;
        CPKIFX509ExtensionMediator2 * mediator = CPKIFX509ExtensionMediator2::GetInstance();
        hep->GetExtensions(mediator, exts);

        std::vector<CPKIFX509ExtensionPtr>::iterator pos;
        std::vector<CPKIFX509ExtensionPtr>::iterator end = exts.end();
        for(pos = exts.begin(); pos != end; ++pos)
        {
            //the only extensions we process are those listed above and CCC (which is initialized/processed elsewhere)
            if(dynamic_pointer_cast<CPKIFPolicyInformationSet, CPKIFX509Extension>(*pos))
                continue;
            else if(dynamic_pointer_cast<CPKIFNameConstraints, CPKIFX509Extension>(*pos))
                continue;
            else if(dynamic_pointer_cast<CPKIFInhibitAnyPolicy, CPKIFX509Extension>(*pos))
                continue;
            else if(dynamic_pointer_cast<CPKIFPolicyConstraints, CPKIFX509Extension>(*pos))
                continue;
            else if(dynamic_pointer_cast<CPKIFBasicConstraints, CPKIFX509Extension>(*pos))
                continue;
            else
            {
                //only other possibility we support is CCC - check it by OID
                CPKIFOIDPtr cccOid(new CPKIFOID(CPKIFStringPtr(new std::string("1.3.6.1.5.5.7.1.18"))));
                CPKIFOIDPtr posOid = (*pos)->oid();
                if(*cccOid == *posOid)
                    continue;
                else if((*pos)->isCritical())
                {
                    CPKIFCertificateNodeList certNodeList;
                    path.GetPath(certNodeList);

                    CPKIFCertificateNodeEntryPtr node = certNodeList.front();

                    CPKIFCertStatusPtr status(new CPKIFCertStatus); 
                    status->SetDiagnosticCode(PATH_UNPROCESSED_CRITICAL_EXTENSION); 
                    node->SetStatus(status);    
                    results.SetCertificate(node); 
                    return false;                   
                }
            }
        }

        //get the current user supplied settings
        CPKIFPathSettingsPtr ps;
        path.GetPathSettings(ps);

        if(pis)
        {
            //-----------------------------------------------------------------
            //from section 3.2
            //If certificate policies are associated with the trust anchor, set
            //the user-initial-policy-set variable equal to the intersection of
            //the certificate policies associated with the trust anchor and the
            //user provided user-initial-policy-set.  If one of these two inputs
            //is not provided, the user-initial-policy-set variable is set to
            //the value that is available.  If neither is provided, the user-
            //initial-policy-set variable is set to any-policy.
            //-----------------------------------------------------------------
            CPKIFPolicyInformationListPtr pilFromTa = pis->GetPolicySet();
            CPKIFPolicyInformationListPtr pilFromUser;
            ps->GetInitialPolicySet(pilFromUser);
            if(pilFromTa && pilFromUser)
            {
                if(!pilFromUser->empty() && *g_anyPolicy == *pilFromUser->front())
                {
                    ps->SetInitialPolicySet(pilFromTa);
                }
                else
                {
                    CPKIFPolicyInformationListPtr newPil(new CPKIFPolicyInformationList);
                    IntersectSets(pilFromTa, pilFromUser, newPil);
                    ps->SetInitialPolicySet(newPil);
                }
            }
            else if(pilFromTa)
            {
                ps->SetInitialPolicySet(pilFromTa);
            }
        }

        if(nc)
        {
            //-----------------------------------------------------------------
            //from section 3.2
            //If name constraints are associated with the trust anchor, set the
            //initial-permitted-subtrees variable equal to the intersection of
            //the permitted subtrees from the trust anchor and the user provided
            //initial-permitted-subtrees.  If one of these two inputs is not
            //provided, the initial-permitted-subtrees variable is set to the
            //value that is available.  If neither is provided, the initial-
            //permitted-subtrees variable is set to an infinite set.
            //-----------------------------------------------------------------
            CPKIFGeneralSubtreesPtr permFromTa = nc->GetPermitted();
            CPKIFGeneralSubtreesPtr permFromUser;
            ps->GetInitialPermSubtrees(permFromUser);
            if(permFromTa && permFromUser)
            {
                CPKIFGeneralSubtreesPtr newPerm(new CPKIFGeneralSubtrees);
                IntersectSubtrees(permFromTa, permFromUser, newPerm);
                ps->SetInitialPermSubtrees(newPerm);
            }
            else if(permFromTa)
            {
                ps->SetInitialPermSubtrees(permFromTa);
            }

            //-----------------------------------------------------------------
            //from section 3.2
            //If name constraints are associated with the trust anchor, set the
            //initial-excluded-subtrees variable equal to the union of the
            //excluded subtrees from the trust anchor and the user provided
            //initial-excluded-subtrees.  If one of these two inputs is not
            //provided, the initial-excluded-subtrees variable is set to the
            //value that is available.  If neither is provided, the initial-
            //excluded-subtrees variable is set to an empty set.
            //-----------------------------------------------------------------
            CPKIFGeneralSubtreesPtr exclFromTa = nc->GetExcluded();
            CPKIFGeneralSubtreesPtr exclFromUser;
            ps->GetInitialExclSubtrees(exclFromUser);
            if(exclFromTa && exclFromUser)
            {
                CPKIFGeneralSubtreesPtr newExcl(new CPKIFGeneralSubtrees);
                IntersectSubtrees(exclFromTa, exclFromUser, newExcl);
                ps->SetInitialExclSubtrees(newExcl);
            }
            else if(exclFromTa)
            {
                ps->SetInitialExclSubtrees(exclFromTa);
            }
        }

        if(iap)
        {
            //-----------------------------------------------------------------
            //from section 3.2
            //If an inhibit any policy value of true is associated with the
            //trust anchor (either in a CertPathControls or in an
            //InhibitAnyPolicy extension) and the initial-any-policy-inhibit
            //value is false, set the initial-any-policy-inhibit to true.
            //-----------------------------------------------------------------
            ps->SetInitialInhibitAnyPolicyIndicator(true);
        }

        if(pc)
        {
            if(pc->InhibitPolicyMappingPresent())
            {
                //-----------------------------------------------------------------
                //from section 3.2
                //If an inhibit policy mapping value of true is associated with the
                //trust anchor (either in a CertPathControls or in a
                //PolicyConstraints extension) and the initial-policy-mapping-
                //inhibit value is false, set the initial-policy-mapping-inhibit to
                //true.
                //-----------------------------------------------------------------
                ps->SetInitialPolicyMappingInhibitIndicator(true);
            }
            if(pc->RequireExplicitPolicyPresent())
            {
                //-----------------------------------------------------------------
                //from section 3.2
                //If a require explicit policy value of true is associated with the
                //trust anchor (either in a CertPathControls or in a
                //PolicyConstraints extension) and the initial-explicit-policy value
                //is false, set the initial-explicit-policy to true.
                //-----------------------------------------------------------------
                ps->SetInitialExplicitPolicyIndicator(true);
            }
        }

        //-----------------------------------------------------------------
        //from section 3.2
        //If a basic constraints extension is associated with the trust
        //anchor and contains a pathLenConstraint value, set the
        //max_path_length state variable equal to the pathLenConstraint
        //value from the basic constraints extension.
        //-----------------------------------------------------------------
        if(bc && bc->pathLengthPresent())
        {
            //We do no have the ability to specify the max_path_length state variable.  Thus,
            //the length check emanating from the TA is implemented in full here.  Length constraints
            //included in CA certificates are not checked here, but will be checked as part of routine 
            //path validation.
            int pathLength = bc->pathLength();

            CPKIFCertificateNodeList certsFromPath;
            path.GetPath(certsFromPath);

            CPKIFCertificateNodeList::iterator pos;
            CPKIFCertificateNodeList::iterator end = certsFromPath.end();
            for(pos = certsFromPath.begin(); pos != end; ++pos)
            {
                CPKIFCertificatePtr curCert = (*pos)->GetCert();
                if(curCert && !curCert->IsSelfIssued())
                {
                    --pathLength;

                    if(pathLength < 0)
                    {
                        CPKIFCertStatusPtr status(new CPKIFCertStatus); 
                        status->SetDiagnosticCode(PATH_LENGTH_VIOLATION); 
                        (*pos)->SetStatus(status);  
                        results.SetCertificate(*pos); 
                    }
                }
            }
        }
    }//end trust anchor constraint enforcement block

    //First step: perform basic path checks
    if(m_impl->m_funcs == (CPKIFFuncStorage*)NULL)//no functions set via SetAdd'l
    {
        if(thisCallOnlyFuncs == (CPKIFFuncStorage*)NULL)
        {
            CPKIFFuncStoragePtr empty;
            pathGood = CPKIFPathBasicChecks2::DoChecks(path, results, empty);
        }
        else
            pathGood = CPKIFPathBasicChecks2::DoChecks(path, results, thisCallOnlyFuncs);
    }
    else //there were some passed via SetAdd'l
    {
        //need to chain the two
        if(thisCallOnlyFuncs == NULL)
            pathGood = CPKIFPathBasicChecks2::DoChecks(path, results, m_impl->m_funcs);
        else
        {
            CPKIFFuncStoragePtr combo(new CPKIFFuncStorage(NULL));
            combo->addFuncs(*m_impl->m_funcs);
            combo->addFuncs(*thisCallOnlyFuncs);

            pathGood = CPKIFPathBasicChecks2::DoChecks(path, results, combo);
        }
    }

    //if we failed a basic check - return failure
    if(!pathGood)
    {
        //added next line 7/28/2004 to make cert status setting consistent
        FindErrorAndSetOnResults(path, results);
        return false;
    }

    //otherwise, check signatures on all certs in the path 
    if(!PathSigChecker(path, crypto, cryptoMisc, results))
    {
        //added next line 7/28/2004 to make cert status setting consistent
        FindErrorAndSetOnResults(path, results);
        return false;
    }

    //added settings check 2/20/2003 - CRW
    CPKIFPathSettingsPtr settings;
    path.GetPathSettings(settings);

    bool bCheckRevStatus = true;
    if(settings != (CPKIFPathSettings*)NULL)
        bCheckRevStatus = settings->GetCheckRevocationStatus();

    //finally, check the revocation status of all certs in the path
    IPKIFRevocationStatus* revStatus = GetMediatorFromParent<IPKIFRevocationStatus>();
    if(NULL != revStatus && bCheckRevStatus)//added check rev status condition 2/20/2003 - CRW
    {
        //if we have no status checking interface then we may be in an offline mode
        //of operation.  don't fail but don't advance the status to indicate revocation
        //status is good.

        RevocationStatus rStatus;
        CPKIFCRLEntryPtr crlEntry;
        bool statusDetermined = revStatus->CheckStatusPath(path, rStatus);
        if(NOT_REVOKED != rStatus)
        {
            //walk the path, find the cert that caused the error and set it
            //on the validation results object
            FindErrorAndSetOnResults(path, results);
            //results.SetCRLEntry(crlEntry);

            return false;
        }

        //the path has earned still another check mark
        results.SetRevocationStatusMostSevere(rStatus);
    }

    //if we get here then all basic checks succeeded, all signature verified and revocation status is non-revoked

    //added following code 7/28/2004 to make cert status setting consistent
    CPKIFCertificateNodeList nodes;
    path.GetPath(nodes);
    if(!nodes.empty())
    {
        CPKIFCertificateNodeEntryPtr target = nodes.back();
        if(target != NULL) {
            CPKIFCertStatusPtr tmpStatus = target->GetStatus();
            results.SetCertStatus(tmpStatus);
        }
    }

    return true;
}

bool CPKIFPathValidator2::GetEnforceTrustAnchorConstraints() const
{
    return m_impl->m_bEnforceTrustAnchorConstraints;
}
void CPKIFPathValidator2::SetEnforceTrustAnchorConstraints(bool b)
{
    m_impl->m_bEnforceTrustAnchorConstraints = b;
}