SCVPUtils.cpp File Reference
Detailed Description
Subsystem: Server-based Certificate Validation Protocol (PKIFSCVP)Module: Miscellaneous
- Id
- SCVPUtils.cpp 12007 2010-11-04 16:11:47Z agalustyan
Definition in file SCVPUtils.cpp.
#include "AlgorithmIdentifier.h"
#include "ASN1Helper.h"
#include "Buffer.h"
#include "Certificate.h"
#include "CRL.h"
#include "Duration.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFHashContext.h"
#include "KeyUsage.h"
#include "Name.h"
#include "OID.h"
#include "Period.h"
#include "PKIFAlgorithm.h"
#include "PKIFCertificatePath.h"
#include "PKIFMediators.h"
#include "PKIFCryptUtils.h"
#include "PKIFPathSettings.h"
#include "PKIFTime.h"
#include "PolicyInformation.h"
#include "ToolkitUtils.h"
#include "PKIFSCVP.h"
#include "private/SCVPUtils.h"
#include "ContentInfo.h"
#include "EncapsulatedContentInfo.h"
#include "PKIFCMSUtils.h"
#include "SignedData.h"
#include "SignerInfo.h"
Go to the source code of this file.
Functions | |
| void | PopulateKeyAgreePublicKey (CACX509V3AlgorithmIdentifier *objAlgID, CPKIFAlgorithmIdentifierPtr algID) |
| void | PopulateKeyUsage (CACX509V3KeyUsage *keyUsageStruct, CPKIFKeyUsagePtr &keyUsage) |
| void | PopulateValidationPolicy (ValidationPolicy *valPolResponse, CPKIFValidationPolicyPtr valPol, OOCTXT &ctxt) |
| CPKIFGeneralNameListPtr | PopulatePKIFGeneralNameList (DList *list) |
| CPKIFOIDListPtr | PopulatePKIFOIDList (DList *list) |
| void | PopulateDListWithCACX509V3GeneralName (DList *list, CPKIFGeneralNameListPtr pkifGenNameList) |
| void | PopulateDListWithASN1OBJID (DList *list, CPKIFOIDListPtr pkifOIDList) |
| void | PopulateDListWithCACX509V3AlgorithmIdentifier (DList *list, CPKIFAlgorithmIdentifierListPtr pkifOIDList) |
| CPKIFAlgorithmIdentifierListPtr | PopulatePKIFAlgorithmIdentifierList (DList *list) |
| void | PopulateACReference (ACReference *pACReference, CPKIFACReferencePtr &acRef, OOCTXT &ctxt) |
| void | PopulatePKCReference (PKCReference *pkcReferenceStruct, CPKIFPKCReferencePtr &pkcRef, OOCTXT &ctxt) |
| void | PopulateQuery (Query *queryOut, CPKIFQueryPtr query, OOCTXT &ctxt) |
| void | PopulateReplyObjects (ReplyObjects *list, CPKIFCertReplyListPtr &replyObjects, OOCTXT &ctxt) |
| bool | ValPolAndPathSettingsMatch (CPKIFValPolResponsePtr &vpr, CPKIFPathSettingsPtr &ps) |
| CPKIFValidationPolicyPtr | PrepareCustomValidationPolicyIfNecessary (CPKIFPathSettingsPtr &ps, IPKIFScvpClient *scvpClient) |
| CPKIFQueryPtr | MakeQueryForPath (CPKIFCertificatePath &path, CPKIFOIDPtr &certCheck, IPKIFScvpClient *scvpClient) |
| SCVP_SignatureState | VerifyResponseSignature (CPKIFBufferPtr &encResp, IPKIFScvpClient *scvpClient, CPKIFCVRequestPtr &req, bool reqIsDpd, CPKIFCVResponsePtr &parsedCvResponse) |
| bool | NameMatchesSCVPCertId (CPKIFSCVPCertIDPtr &certId, CPKIFNamePtr &issName) |
| bool | CertReferenceMatchesCertificate (CPKIFCertReferencePtr &cr, CPKIFCertificatePtr &targetCert) |
| CPKIFCertReplyPtr | GetReplyObject (CPKIFCertReplyListPtr &replyObjects, CPKIFCertificatePtr &targetCert) |
| bool | MakeSureReplyChecksAreSuccessfulAndValErrorsAreAbsent (CPKIFCertReplyPtr &replyObject) |
Function Documentation
| bool CertReferenceMatchesCertificate | ( | CPKIFCertReferencePtr & | cr, | |
| CPKIFCertificatePtr & | targetCert | |||
| ) |
Interface: Subsystem
This function compares a certificate with certificate reference and returns true if they match, false otherwise
- Returns:
- True if they match, false otherwise
Definition at line 1968 of file SCVPUtils.cpp.
References CPKIFAlgorithm::DigestSize(), CPKIFAlgorithm::GetAlg(), GetPlatformCryptoMisc(), CPKIFAlgorithm::HashAlg(), IPKIFCryptoMisc::HashFinal(), IPKIFCryptoMisc::HashInit(), IPKIFCryptoMisc::HashUpdate(), and NameMatchesSCVPCertId().
Referenced by GetReplyObject().
| CPKIFCertReplyPtr GetReplyObject | ( | CPKIFCertReplyListPtr & | replyObjects, | |
| CPKIFCertificatePtr & | targetCert | |||
| ) |
Interface: Subsystem
This function returns SCVP reply object that matches the certificate
- Returns:
- Smart pointer to CPKIFCertReply object
- Parameters:
-
replyObjects [in] List of reply object to search targetCert [in] Target certificate
Definition at line 2047 of file SCVPUtils.cpp.
References CertReferenceMatchesCertificate().
Referenced by CPKIFScvpPathBuildAndValidate::BuildAndValidatePath(), and CPKIFScvpPathBuild::BuildPath().
| CPKIFQueryPtr MakeQueryForPath | ( | CPKIFCertificatePath & | path, | |
| CPKIFOIDPtr & | certCheck, | |||
| IPKIFScvpClient * | scvpClient | |||
| ) |
Interface: Subsystem
MakeQueryForPath looks at a certificate path and an IPKIFScvpClient and creates a Query object consistent with those inputs for the type of check indicated by the certCheck parameter. This function always includes the full certificate obtained via calling GetTarget on the path parameter in the Query.
Query ::= SEQUENCE { queriedCerts CertReferences, checks CertChecks, -- Note: tag [0] not used -- wantBack [1] WantBack OPTIONAL, validationPolicy ValidationPolicy, responseFlags ResponseFlags OPTIONAL, serverContextInfo [2] OCTET STRING OPTIONAL, validationTime [3] GeneralizedTime OPTIONAL, intermediateCerts [4] CertBundle OPTIONAL, revInfos [5] RevocationInfos OPTIONAL, producedAt [6] GeneralizedTime OPTIONAL, queryExtensions [7] Extensions OPTIONAL }
- Returns:
- CPKIFQueryPtr
- Parameters:
-
path [in] Certification path object containing the target of the path processing operation certCheck [in] Object identifier that indicates the type of check to perform (expected to be g_id_stc_build_pkc_path or g_id_stc_build_status_checked_pkc_path) scvpClient [in] Pointer to the SCVP client (used to collect various settings that influence the query)
Definition at line 1670 of file SCVPUtils.cpp.
References CPKIFPeriod::contains(), CPKIFTime::CurrentTime(), g_id_stc_build_pkc_path, IPKIFScvpClient::GetGenerateNonce(), CPKIFCertificatePath::GetPathSettings(), IPKIFScvpClient::GetRequireNonceMatch(), IPKIFScvpClient::GetRequireSignedDPD(), CPKIFCertificatePath::GetTarget(), IPKIFScvpClient::GetWantBacks(), and PrepareCustomValidationPolicyIfNecessary().
Referenced by CPKIFScvpPathBuildAndValidate::BuildAndValidatePath(), and CPKIFScvpPathBuild::BuildPath().
| bool MakeSureReplyChecksAreSuccessfulAndValErrorsAreAbsent | ( | CPKIFCertReplyPtr & | replyObject | ) |
Interface: Subsystem
Returns true if all replyChecks indicate success and valErrors are absent and false otherwise.
- Returns:
- True is successful and no errors
- Parameters:
-
replyObject [in] Certy reply object
Definition at line 2076 of file SCVPUtils.cpp.
Referenced by CPKIFScvpPathBuildAndValidate::BuildAndValidatePath(), and CPKIFScvpPathBuild::BuildPath().
| bool NameMatchesSCVPCertId | ( | CPKIFSCVPCertIDPtr & | certId, | |
| CPKIFNamePtr & | issName | |||
| ) |
Interface: Subsystem
This function compares name with SCVP certificate ID and returns true if they match, false otherwise
- Returns:
- True if they match, false otherwise
Definition at line 1941 of file SCVPUtils.cpp.
References CPKIFGeneralName::DIRECTORYNAME.
Referenced by CertReferenceMatchesCertificate().
| void PopulateACReference | ( | ACReference * | pACReference, | |
| CPKIFACReferencePtr & | acRef, | |||
| OOCTXT & | ctxt | |||
| ) |
Interface: Subsystem
This function populates PKCReference structure
- Returns:
- None
Definition at line 637 of file SCVPUtils.cpp.
References COMMON_INVALID_INPUT, ConvertStringToASN1OBJID(), CopyGeneralName(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, SET_HEAD_TAIL_INCREMENT, TOOLKIT_SCVP, and TOOLKIT_SCVP_ASN.
Referenced by PopulateQuery().
| void PopulateDListWithASN1OBJID | ( | DList * | list, | |
| CPKIFOIDListPtr | pkifOIDList | |||
| ) |
Interface: Subsystem
This is a helper function that populates DList with ASN1OBJID objects
- Returns:
- None
Definition at line 509 of file SCVPUtils.cpp.
References ConvertStringToASN1OBJID(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, and SET_HEAD_TAIL_INCREMENT.
Referenced by CPKIFValPolResponse::Encode(), PopulateQuery(), PopulateReplyObjects(), and PopulateValidationPolicy().
| void PopulateDListWithCACX509V3AlgorithmIdentifier | ( | DList * | list, | |
| CPKIFAlgorithmIdentifierListPtr | pkifOIDList | |||
| ) |
Interface: Subsystem
This is a helper function that populates DList with CACX509V3AlgorithmIdentifier objects
- Returns:
- None
Definition at line 553 of file SCVPUtils.cpp.
References ConvertStringToASN1OBJID(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, and SET_HEAD_TAIL_INCREMENT.
Referenced by CPKIFValPolResponse::Encode().
| void PopulateDListWithCACX509V3GeneralName | ( | DList * | list, | |
| CPKIFGeneralNameListPtr | pkifGenNameList | |||
| ) |
Interface: Subsystem
This is a helper function that populates DList with ASN1OBJID objects
- Returns:
- None
Definition at line 470 of file SCVPUtils.cpp.
References CopyGeneralName(), NEW_NEXT_AND_ADVANCE, NEW_NODE, and SET_HEAD_TAIL_INCREMENT.
| void PopulateKeyAgreePublicKey | ( | CACX509V3AlgorithmIdentifier * | objAlgID, | |
| CPKIFAlgorithmIdentifierPtr | algID | |||
| ) |
Interface: Subsystem
This is a helper function that populates KeyAgreePublicKey object
- Returns:
- None
Definition at line 50 of file SCVPUtils.cpp.
References ConvertStringToASN1OBJID(), and CopyOID().
Referenced by CPKIFValPolResponse::Encode().
| void PopulateKeyUsage | ( | CACX509V3KeyUsage * | keyUsageStruct, | |
| CPKIFKeyUsagePtr & | keyUsage | |||
| ) |
Interface: Module
This function populates CACX509V3KeyUsage structure
- Returns:
- None
- Parameters:
-
keyUsageStruct [in/out] Pointer to CACX509V3KeyUsage structure which will be populated keyUsage [in] Smart pointer to CPKIFKeyUsage object which contains teh values used in populating CACX509V3KeyUsage structure
Definition at line 74 of file SCVPUtils.cpp.
Referenced by PopulateValidationPolicy().
| void PopulatePKCReference | ( | PKCReference * | pkcReferenceStruct, | |
| CPKIFPKCReferencePtr & | pkcRef, | |||
| OOCTXT & | ctxt | |||
| ) |
Interface: Subsystem
This function populates PKCReference structure
- Returns:
- None
- Parameters:
-
pkcReferenceStruct [in/out] Pointer to PKCReference structure which will be populated pkcRef [in] Smart pointer to CPKIFPKCReference object which contains the values used in populating PKCReference structure
Definition at line 737 of file SCVPUtils.cpp.
References COMMON_INVALID_INPUT, ConvertStringToASN1OBJID(), CopyGeneralName(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, SET_HEAD_TAIL_INCREMENT, TOOLKIT_SCVP, and TOOLKIT_SCVP_ASN.
Referenced by PopulateQuery().
| CPKIFAlgorithmIdentifierListPtr PopulatePKIFAlgorithmIdentifierList | ( | DList * | list | ) |
Interface: Subsystem
This is a helper function that populates DList with ASN1OBJID objects
- Returns:
- None
Definition at line 603 of file SCVPUtils.cpp.
Referenced by CPKIFValPolResponse::Decode().
| CPKIFGeneralNameListPtr PopulatePKIFGeneralNameList | ( | DList * | list | ) |
Interface: Subsystem
This is a helper function that populates CPKIFGeneralNameList with object from DList
- Returns:
- None
Definition at line 421 of file SCVPUtils.cpp.
References CACASNWRAPPER_CREATE.
| CPKIFOIDListPtr PopulatePKIFOIDList | ( | DList * | list | ) |
Interface: Subsystem
This is a helper function that populates CPKIFOIDList with object from DList
- Returns:
- None
Definition at line 450 of file SCVPUtils.cpp.
Referenced by CPKIFValidationPolicy::CPKIFValidationPolicy(), and CPKIFValPolResponse::Decode().
| void PopulateQuery | ( | Query * | queryOut, | |
| CPKIFQueryPtr | query, | |||
| OOCTXT & | ctxt | |||
| ) |
Interface: Subsystem
This function populates query item of CVRequest
- Returns:
- None
- Parameters:
-
queryOut [in] A pointer to CVRequest structure. query [in] A reference to a smart pointer to CPKIFQueryPtr object
Definition at line 840 of file SCVPUtils.cpp.
References ConvertStringToASN1OBJID(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, PopulateACReference(), PopulateDListWithASN1OBJID(), PopulatePKCReference(), PopulateValidationPolicy(), SET_HEAD_TAIL_INCREMENT, and TOOLKIT_SCVP.
Referenced by CPKIFCVRequest::Encode().
| void PopulateReplyObjects | ( | ReplyObjects * | list, | |
| CPKIFCertReplyListPtr & | replyObjects, | |||
| OOCTXT & | ctxt | |||
| ) |
Interface: Subsystem
This function populates ReplyObjects
- Returns:
- None
- Parameters:
-
list [out] A pointer to CVResponse structure. replyObjects [in] A reference to a smart pointer to CPKIFCertReplyList object
Definition at line 1146 of file SCVPUtils.cpp.
References ConvertStringToASN1OBJID(), CopyGeneralName(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, PopulateDListWithASN1OBJID(), SET_HEAD_TAIL_INCREMENT, and TOOLKIT_SCVP.
| void PopulateValidationPolicy | ( | ValidationPolicy * | valPolResponse, | |
| CPKIFValidationPolicyPtr | valPol, | |||
| OOCTXT & | ctxt | |||
| ) |
Interface: Subsystem
This is a helper function that populates validation policy object
- Returns:
- None
Definition at line 147 of file SCVPUtils.cpp.
References ConvertStringToASN1OBJID(), CopyGeneralName(), CopyOID(), NEW_NEXT_AND_ADVANCE, NEW_NODE, PopulateDListWithASN1OBJID(), PopulateKeyUsage(), SET_HEAD_TAIL_INCREMENT, and TOOLKIT_SCVP.
Referenced by CPKIFValPolResponse::Encode(), and PopulateQuery().
| CPKIFValidationPolicyPtr PrepareCustomValidationPolicyIfNecessary | ( | CPKIFPathSettingsPtr & | ps, | |
| IPKIFScvpClient * | scvpClient | |||
| ) |
Interface: Subsystem
By default a CPKIFQuery object includes a ValidationPolicy with only a validationPolRef that specifies the default validation policy. A PKIF client can pass in a CPKIFPathSettings object that customizes the RFC3280 path processing inputs. This function compares the paths settings against the current validation policy from the server (as obtained by calling GetValPol then VerifyValPol on the scvpClient parameter). If the path settings in the ps parameter are different a new validation policy object is created. If there is no val pol available via GetValPol, a new validation policy object is created. Otherwise, NULL is returned and the default validation policy is OK. Some fields in the ValidationPolicy are never modified by this function. These are: validationAlg, trustAnchors, keyUsages, extendedKeyUsages and specifiedKeyUsages.
ValidationPolicy ::= SEQUENCE { validationPolRef ValidationPolRef, validationAlg [0] ValidationAlg OPTIONAL, userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL, inhibitPolicyMapping [2] BOOLEAN OPTIONAL, requireExplicitPolicy [3] BOOLEAN OPTIONAL, inhibitAnyPolicy [4] BOOLEAN OPTIONAL, trustAnchors [5] TrustAnchors OPTIONAL, keyUsages [6] SEQUENCE OF KeyUsage OPTIONAL, extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL, specifiedKeyUsages [8] SEQUENCE OF KeyPurposeId OPTIONAL }
- Returns:
- CPKIFValidationPolicyPtr
Definition at line 1594 of file SCVPUtils.cpp.
References g_id_svp_defaultValPolicy, IPKIFScvpClient::GetValPol(), ValPolAndPathSettingsMatch(), and IPKIFScvpClient::VerifyValPol().
Referenced by MakeQueryForPath().
| bool ValPolAndPathSettingsMatch | ( | CPKIFValPolResponsePtr & | vpr, | |
| CPKIFPathSettingsPtr & | ps | |||
| ) |
Interface: Subsystem
This function compares validation policy and pathsettings. Returns true if they match, false otherwise
- Returns:
- Returns true if they match, false otherwise
Definition at line 1511 of file SCVPUtils.cpp.
Referenced by PrepareCustomValidationPolicyIfNecessary().
| SCVP_SignatureState VerifyResponseSignature | ( | CPKIFBufferPtr & | encResp, | |
| IPKIFScvpClient * | scvpClient, | |||
| CPKIFCVRequestPtr & | req, | |||
| bool | reqIsDpd, | |||
| CPKIFCVResponsePtr & | parsedCvResponse | |||
| ) |
Interface: Subsystem
VerifyResponseSignature parses a CVResponse and, if necessary, verifies the signature. If the return value is either SS_OK or SS_SIGNATURE_NOT_VERIFIED, the parsed CVResponse is returned via the outbound parsedCvResponse parameter. This function also checks the value of the responseStatus field and checks the nonce, if the request included a nonce.
Possible errors include:
- SS_OTHER_ERROR: the input was NULL
- SS_UNPROTECTED_PAYLOAD: the payload was not protected but should've been
- SS_UNSUPPORTED_PAYLOAD: the payload was not a CVResponse
- SS_BAD_RESPONSE_STATUS: the overall response status was not okay or skipUnrecognizedItems
- SS_NONCE_MISMATCH: a nonce was required and the nonce that was returned did not request match
- SS_MISSING_NONCE: a nonce was required but the response had no nonce
- SS_SIGNATURE_NOT_VERIFIED: signature verification failed
- Returns:
- SCVP_SignatureState
- Parameters:
-
encResp [in] scvpClient [in] req [in] reqIsDpd [in] parsedCvResponse [out]
Definition at line 1829 of file SCVPUtils.cpp.
References CPKIFContentInfo::Decode(), g_id_ct_scvp_certValResponse, g_signedData, CPKIFContentInfo::GetContent(), CPKIFContentInfo::GetContentType(), IPKIFScvpClient::GetMediator(), IPKIFScvpClient::GetRequireSignedDPD(), NOT_VERIFIED, SS_BAD_RESPONSE_STATUS, SS_MISSING_NONCE, SS_NONCE_MISMATCH, SS_OK, SS_OTHER_ERROR, SS_SIGNATURE_NOT_VERIFIED, SS_UNPROTECTED_PAYLOAD, and SS_UNSUPPORTED_PAYLOAD.
Referenced by CPKIFScvpPathBuildAndValidate::BuildAndValidatePath(), and CPKIFScvpPathBuild::BuildPath().
