SCVPUtils_WantBacks.cpp

Go to the documentation of this file.
00001 
00010 //PKIF includes
00011 #include "pkif.h"
00012 #include "PKIFCryptUtils.h"
00013 
00014 //PKIFSCVP includes
00015 #include "CertBundle.h"
00016 #include "CertReferences.h"
00017 #include "IPKIFScvpClient.h"
00018 #include "PKCReference.h"
00019 #include "ReplyWantBack.h"
00020 #include "RevocationInfo.h"
00021 #include "RevInfoWantBack.h"
00022 #include "ValidationPolicy.h"
00023 #include "ValPolResponse.h"
00024 
00025 //PKIFERS includes
00026 #include "ERSConstants.h"
00027 #include "EvidenceRecord.h"
00028 #include "EvidenceRecordBundle.h"
00029 #include "EvidenceRecordVerifier.h"
00030 
00031 #include <cstring>
00032 
00033 using namespace boost;
00034 using namespace std;
00042 CPKIFRevocationInfoListPtr PKIFSCVP_API GetRevInfos(CPKIFBufferPtr& revInfoWB)
00043 {
00044     CPKIFRevocationInfoListPtr empty;
00045     if(!revInfoWB)
00046         return empty;
00047 
00048     try
00049     {
00050         CPKIFRevInfoWantBack revInfo(revInfoWB);
00051         CPKIFRevocationInfoListPtr revInfos;
00052         revInfo.GetRevInfos(revInfos);
00053         return revInfos;
00054     }
00055     catch(...)
00056     {
00057         return empty;
00058     }
00059 }
00067 bool CrlCoversCert(
00069     CPKIFCRLPtr& crl,
00071     CPKIFCertificatePtr& cert)
00072 {
00073     CPKIFNamePtr crlIssuer = crl->Issuer();
00074     CPKIFNamePtr certIssuer = cert->Issuer();
00075     CPKIFCRLDistributionPointsPtr cdp = cert->GetExtension<CPKIFCRLDistributionPoints>();
00076     CPKIFIssuingDistributionPointPtr idp = crl->GetExtension<CPKIFIssuingDistributionPoint>();
00077     if(!idp && (*certIssuer == *crlIssuer))
00078         return true;
00079     else if(idp && cdp)
00080     {
00081         CPKIFDistributionPointNamePtr dp = idp->DistributionPoint();
00082         CPKIFCRLDistributionPointListPtr dps = cdp->DPs();
00083         if(dp && dps)
00084         {
00085             CPKIFCRLDistributionPointList::iterator pos;
00086             CPKIFCRLDistributionPointList::iterator end = dps->end();
00087             for(pos = dps->begin(); pos != end; ++pos)
00088             {
00089                 CPKIFDistributionPointNamePtr posDP = (*pos)->DistributionPoint();
00090                 if((*posDP) == *dp)
00091                     return true;
00092             }
00093         }
00094     }
00095 
00096     return false;
00097 }
00098 
00110 CPKIFBufferPtr _HashIssuerName(
00112     const CPKIFCertificate& cert, 
00114     IPKIFCryptoMisc* cMisc)
00115 {
00116     //get the issuer name from the cert
00117     CPKIFNamePtr issuerName = cert.Issuer();
00118     if(issuerName == (CPKIFName*)NULL)
00119         throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_INVALID_INPUT,"Invalid cert passed to issuer name hashing function");
00120 
00121     //encode it
00122     CPKIFBufferPtr tmp = issuerName->Encoded();
00123 
00124     //get a hash context
00125     IPKIFHashContext* hi = cMisc->HashInit(PKIFCRYPTO::SHA1);
00126     if(NULL == hi)
00127         throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_UNSUPPORTED_ALG,"");
00128 
00129     //allocate memory for hash result - this will be handed off to the buffer pointer below
00130     int hashResultLen = MAXHASH;
00131     unsigned char* hashResult = NULL;
00132     
00133     try
00134     {
00135         hashResult = new unsigned char[MAXHASH];
00136     }
00137     catch(std::bad_alloc& ba)
00138     {
00139         delete hi;
00140         throw ba;
00141     }
00142 
00143     try
00144     {
00145         cMisc->HashUpdate(hi, (unsigned char*)tmp->GetBuffer(), tmp->GetLength());
00146         cMisc->HashFinal(hi, hashResult, &hashResultLen);
00147     }
00148     catch(CPKIFException& e)
00149     {
00150         delete hi;
00151         delete[] hashResult;
00152         throw e;
00153     }
00154     delete hi;
00155 
00156     CPKIFBufferPtr issuerNameHash(new CPKIFBuffer(true, hashResult, hashResultLen));
00157     return issuerNameHash;
00158 }
00159 
00167 bool _CertIDMatchesCert(
00169     CPKIFCertIDPtr& cid, 
00171     const CPKIFCertificate& cert, 
00173     IPKIFCryptoMisc* m)
00174 {
00175     LOG_STRING_DEBUG("_CertIDMatchesCert", TOOLKIT_OCSP_CHECKER, 0, NULL);
00176 
00177     //get serial number from cert ID and certificate
00178     const char* cidSN = cid->GetSerialNumber();
00179     const char* certSN = cert.SerialNumber();
00180 
00181     //fail if either are NULL or if they do not match
00182     //reviewed 4/24 - added strlen
00183     if(NULL == cidSN || NULL == certSN || strlen(cidSN) != strlen(certSN) ||
00184         0 != stricmp(cidSN, certSN))
00185         return false;
00186 
00187     //generate a hash of the certificate's issuer and get pointer to issuer hash from cert ID
00188     CPKIFBufferPtr certHashBuf = _HashIssuerName(cert, m);
00189     CPKIFBufferPtr cidHashBuf = cid->GetIssuerNameHash();
00190 
00191     //fail if they do not match
00192     if(!(*certHashBuf == *cidHashBuf))
00193         return false;
00194 
00195     //if we get here then we have a match
00196     return true;
00197 }
00205 bool OcspResponseCoversCertificate(
00207     CPKIFOCSPResponsePtr& ocsp,
00209     CPKIFCertificatePtr& cert)
00210 {
00211     IPKIFCryptoMisc* cryptoMisc = GetPlatformCryptoMisc();
00212     
00213     CPKIFResponseBytesPtr responseBytes = ocsp->GetResponseBytes();
00214     if(responseBytes == (CPKIFResponseBytes*)NULL)
00215     {
00216         return false;
00217     }
00218 
00219     //make sure it's a response type we support (currently basic only)
00220     if(!(*g_ocspBasic == responseBytes->GetResponseType()))
00221     {
00222         return false;
00223     }
00224 
00225     //get the encoded basic response
00226     CPKIFBufferPtr responseBuf = responseBytes->GetResponse();
00227 
00228     //decode the basic response
00229     CPKIFBasicOCSPResponsePtr basicOCSPResponse(new CPKIFBasicOCSPResponse);
00230     basicOCSPResponse->Decode(responseBuf);
00231 
00232     CPKIFResponseDataPtr responseData = basicOCSPResponse->GetResponseData();
00233 
00234     CPKIFSingleResponseList responses;
00235     responseData->GetResponses(responses);
00236 
00237     CPKIFSingleResponseList::iterator pos;
00238     CPKIFSingleResponseList::iterator end = responses.end();
00239     CPKIFSingleResponsePtr targetResponse;
00240     for(pos = responses.begin(); pos != end; ++pos)
00241     {
00242         //1. The certificate identified in a received response corresponds to
00243         //that which was identified in the corresponding request; (i.e. find the 
00244         //target cert in the list of responses)
00245         CPKIFCertIDPtr cid = (*pos)->GetCertID();
00246         if(_CertIDMatchesCert(cid, *cert, cryptoMisc))
00247         {
00248             targetResponse = *pos;
00249             return true;
00250         }
00251     }
00252 
00253     return false;
00254 }
00255 
00266 void AssociateRevInfoWithCertStatusIfPossible(
00268     CPKIFRevocationInfoListPtr& revInfos, 
00270     CPKIFCertStatusPtr& status,
00272     CPKIFCertificatePtr& cert)
00273 {
00274     CPKIFCRLInfoPtr crlInfo;
00275     CPKIFOCSPInfoPtr ocspInfo;
00276     CPKIFRevocationInfoList::iterator pos;
00277     CPKIFRevocationInfoList::iterator end = revInfos->end();
00278     for(pos = revInfos->begin(); pos != end; ++pos)
00279     {
00280         //see if we have a revocation info object that corresponds to the cert, if so
00281         //stuff the rev info object in the status object
00282         REVINFOTYPE rit = (*pos)->GetRevInfoType();
00283         switch(rit)
00284         {
00285         case REVINFOTYPE_CRL:
00286             {
00287             CPKIFCRLPtr crl = (*pos)->GetCRL();
00288             if(CrlCoversCert(crl, cert))
00289             {
00290                 if(!crlInfo)
00291                 {
00292                     CPKIFCRLInfoPtr tmp(new CPKIFCRLInfo);
00293                     crlInfo = tmp;
00294                 }
00295                 crlInfo->AddCRL(crl);
00296             }
00297             break;
00298             }
00299         case REVINFOTYPE_DELTACRL:
00300             {
00301             CPKIFCRLPtr crl = (*pos)->GetDeltaCRL();
00302             if(CrlCoversCert(crl, cert))
00303             {
00304                 if(!crlInfo)
00305                 {
00306                     CPKIFCRLInfoPtr tmp(new CPKIFCRLInfo);
00307                     crlInfo = tmp;
00308                 }
00309                 crlInfo->AddCRL(crl);
00310             }
00311             break;
00312             }
00313         case REVINFOTYPE_OCSPRESP:
00314             {
00315             CPKIFBufferPtr ocspRespBuf = (*pos)->GetOCSPResp();
00316             CPKIFOCSPResponsePtr ocspResp(new CPKIFOCSPResponse);
00317             ocspResp->Decode(ocspRespBuf);
00318             if(OcspResponseCoversCertificate(ocspResp, cert))
00319             {
00320                 if(!ocspInfo)
00321                 {
00322                     CPKIFOCSPInfoPtr tmp(new CPKIFOCSPInfo);
00323                     ocspInfo = tmp;
00324                 }
00325                 ocspInfo->SetOCSPResponse(ocspResp);
00326             }
00327             break;
00328             }
00329         case REVINFOTYPE_OTHER:
00330             //not supported
00331             break;
00332         case REVINFOTYPE_NONE:
00333         default:
00334             //something is broken
00335             break;
00336         }
00337     }
00338 
00339     if(crlInfo && status)
00340     {
00341         status->AddRevocationSource(REVSOURCE_CRL, REV_INFO_CAST(crlInfo), SERVER_CHECKED, 0);
00342     }
00343 
00344     if(ocspInfo && status)
00345     {
00346         status->AddRevocationSource(REVSOURCE_OCSP, REV_INFO_CAST(ocspInfo), SERVER_CHECKED, 0);
00347     }
00348 }
00356 CPKIFTrustRootPtr GetTrustRootFromValPol(
00358     CPKIFValPolResponsePtr& vpr, 
00360     CPKIFCertificatePtr& issuedByTheRoot,
00362     IPKIFCryptoRawOperations* cryptoRaw)
00363 {
00364     CPKIFTrustRootPtr empty;
00365     if(!vpr || !issuedByTheRoot || !cryptoRaw)
00366         return empty;
00367 
00368     CPKIFValidationPolicyPtr valPol = vpr->GetRespValidationPolicy();
00369     if(!valPol)
00370         return empty;
00371 
00372     CPKIFPKCReferenceListPtr tas;
00373     valPol->GetTAs(tas);
00374 
00375     if(!tas || tas->empty())
00376         return empty;
00377 
00378     CPKIFNamePtr issuerName = issuedByTheRoot->Issuer();
00379 
00380     CPKIFPKCReferenceList::iterator pos;
00381     CPKIFPKCReferenceList::iterator end = tas->end();
00382     for(pos = tas->begin(); pos != end; ++pos)
00383     {
00384         CPKIFCertificatePtr cert = (*pos)->GetCert();
00385         CPKIFNamePtr subjectName = cert->Subject();
00386 
00387         if(*issuerName == *subjectName &&
00388             cryptoRaw->VerifyCertificate(*cert, *issuedByTheRoot))
00389         {
00390             CPKIFTrustRootPtr tr(new CPKIFTrustRoot);
00391             tr->SetCert(cert);
00392             return tr;
00393         }
00394     }
00395 
00396     return empty;
00397 }
00405 void AssociateEvidenceRecordResultsWithWantBack(
00407     SeqResultsPtr& seqResults,
00409     CPKIFOIDPtr& wantBackType,
00411     CPKIFReplyWantBack_ExtDataHandlerPtr& wantBacks)
00412 {
00413     if(!wantBacks || !wantBackType || !seqResults)
00414         return;
00415 
00416     std::vector<std::pair<CPKIFReplyWantBackPtr, vector<SeqResultsPtr> > >::iterator pos;
00417     std::vector<std::pair<CPKIFReplyWantBackPtr, vector<SeqResultsPtr> > >::iterator end = wantBacks->m_wantBacks.end();
00418     for(pos = wantBacks->m_wantBacks.begin(); pos != end; ++pos)
00419     {
00420         if(*wantBackType == *((*pos).first->GetWB()))
00421         {
00422             (*pos).second.push_back(seqResults);
00423             return;
00424         }
00425     }
00426 }
00434 void VerifyCertPathWB_ER(
00436     CPKIFBufferPtr& bestCertPathWB,
00438     CPKIFBufferPtr& bestCertPathWB_ER,
00440     CPKIFCertificatePath& path,
00442     IPKIFScvpClient* scvpClient
00443     )
00444 {
00445     if(!bestCertPathWB || 0 == bestCertPathWB->GetLength() || NULL == bestCertPathWB->GetBuffer())
00446         return;
00447     if(!bestCertPathWB_ER || 0 == bestCertPathWB_ER->GetLength() || NULL == bestCertPathWB_ER->GetBuffer())
00448         return;
00449 
00450     CPKIFCertBundle certBundle;
00451     certBundle.Decode(bestCertPathWB);
00452 
00453     CPKIFEvidenceRecordPtr er(new CPKIFEvidenceRecord);
00454     er->Decode(bestCertPathWB_ER);  
00455 
00456     CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00457     erv->SetDataComplete(bestCertPathWB);
00458     SeqResultsPtr seqResults = erv->Verify(er);
00459 
00460     CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00461     AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsBestCertPath, wantBacks);
00462 }
00470 void VerifyPartialPathWB_ER(
00472     CPKIFBufferPtr& partialPathWB,
00474     CPKIFBufferPtr& partialPathWB_ER,
00476     CPKIFCertificatePath& path,
00478     IPKIFScvpClient* scvpClient
00479     )
00480 {
00481     if(!partialPathWB || 0 == partialPathWB->GetLength() || NULL == partialPathWB->GetBuffer())
00482         return;
00483     if(!partialPathWB_ER || 0 == partialPathWB_ER->GetLength() || NULL == partialPathWB_ER->GetBuffer())
00484         return;
00485 
00486     CPKIFCertBundle certBundle;
00487     certBundle.Decode(partialPathWB);
00488 
00489     CPKIFEvidenceRecordPtr er(new CPKIFEvidenceRecord);
00490     er->Decode(partialPathWB_ER);   
00491 
00492     CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00493     erv->SetDataComplete(partialPathWB);
00494     SeqResultsPtr seqResults;
00495     
00496     try
00497     {
00498         seqResults = erv->Verify(er);
00499     }
00500     catch(...)
00501     {
00502     }
00503 
00504     CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00505     AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsPartialCertPath, wantBacks);
00506 }
00514 void VerifyRevInfoWB_ER(
00516     CPKIFBufferPtr& revInfoWB,
00518     CPKIFBufferPtr& revInfoWB_ER,
00520     CPKIFCertificatePath& path,
00522     IPKIFScvpClient* scvpClient
00523     )
00524 {
00525     if(!revInfoWB || 0 == revInfoWB->GetLength() || NULL == revInfoWB->GetBuffer())
00526         return;
00527     if(!revInfoWB_ER || 0 == revInfoWB_ER->GetLength() || NULL == revInfoWB_ER->GetBuffer())
00528         return;
00529 
00530     CPKIFRevocationInfoListPtr revInfos;
00531     revInfos = GetRevInfos(revInfoWB);
00532 
00533     if(revInfos)
00534     {
00535         CPKIFEvidenceRecordBundle er;
00536         er.Decode(revInfoWB_ER);    
00537 
00538         CPKIFEvidenceRecordListPtr ers(new CPKIFEvidenceRecordList);
00539         er.GetERList(ers);
00540 
00541         CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00542 
00543         if(!ers || revInfos->size() != ers->size())
00544             return;
00545 
00546         CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00547 
00548         CPKIFRevocationInfoList::iterator begin = revInfos->begin();
00549         CPKIFRevocationInfoList::iterator pos;
00550         CPKIFRevocationInfoList::iterator end = revInfos->end();
00551         for(pos = revInfos->begin(); pos != end; ++pos)
00552         {
00553             CPKIFCRLPtr crl;
00554             if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00555                 crl = (*pos)->GetCRL();
00556             else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00557                 crl = (*pos)->GetDeltaCRL();
00558             else
00559                 continue;
00560 
00561             CPKIFEvidenceRecordPtr er = (*ers)[distance(begin, pos)];
00562             CPKIFBufferPtr encRevInfo = crl->Encoded();
00563             erv->SetDataComplete(encRevInfo);
00564             SeqResultsPtr seqResults;
00565             
00566             try
00567             {
00568                 seqResults = erv->Verify(er);
00569             }
00570             catch(...)
00571             {
00572             }
00573 
00574             AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsRevocationInfo, wantBacks);
00575         }
00576     }
00577 }
00585 void VerifyPKCCertWB_ER(
00587     CPKIFCertificatePtr& pkcCert,
00589     CPKIFBufferPtr& pkcCertWB_ER,
00591     CPKIFCertificatePath& path,
00593     IPKIFScvpClient* scvpClient
00594     )
00595 {
00596     if(!pkcCertWB_ER || 0 == pkcCertWB_ER->GetLength() || NULL == pkcCertWB_ER->GetBuffer())
00597         return;
00598 
00599     CPKIFEvidenceRecordPtr er(new CPKIFEvidenceRecord);
00600     er->Decode(pkcCertWB_ER);   
00601 
00602     CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00603     CPKIFBufferPtr encCert = pkcCert->Encoded();
00604     erv->SetDataComplete(encCert);
00605     SeqResultsPtr seqResults;
00606     
00607     try
00608     {
00609         seqResults = erv->Verify(er);
00610     }
00611     catch(...)
00612     {
00613     }
00614 
00615     CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00616     AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsPkcCert, wantBacks);
00617 }
00625 void StickCrlsFromWantBackInCrlStore(
00627     CPKIFBufferPtr& revInfoWB,
00629     IPKIFScvpClient* scvpClient,
00631     IPKIFColleague* iCol)
00632 {
00633     IPKIFMediatorPtr curMed = scvpClient->GetMediator();
00634     if(curMed)
00635     {
00636         IPKIFCRLRepositoryUpdate* cu = curMed->GetMediator<IPKIFCRLRepositoryUpdate>();
00637         if(cu)
00638         {
00639             CPKIFRevocationInfoListPtr revInfos;
00640             revInfos = GetRevInfos(revInfoWB);
00641             if(!revInfos)
00642                 return;
00643 
00644             CPKIFGeneralNamePtr emptyGN;
00645             CPKIFRevocationInfoList::iterator pos;
00646             CPKIFRevocationInfoList::iterator end = revInfos->end();
00647             for(pos = revInfos->begin(); pos != end; ++pos)
00648             {
00649                 CPKIFCRLPtr crl;
00650                 if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00651                     crl = (*pos)->GetCRL();
00652                 else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00653                     crl = (*pos)->GetDeltaCRL();
00654 
00655                 if(crl)
00656                     cu->AddCRL(crl, emptyGN);
00657             }
00658         }
00659     }
00660     if(iCol)
00661     {
00662         IPKIFCRLRepositoryUpdate* cu = iCol->GetMediator<IPKIFCRLRepositoryUpdate>();
00663         if(cu)
00664         {
00665             CPKIFRevocationInfoListPtr revInfos;
00666             revInfos = GetRevInfos(revInfoWB);
00667             if(!revInfos)
00668                 return;
00669 
00670             CPKIFGeneralNamePtr emptyGN;
00671             CPKIFRevocationInfoList::iterator pos;
00672             CPKIFRevocationInfoList::iterator end = revInfos->end();
00673             for(pos = revInfos->begin(); pos != end; ++pos)
00674             {
00675                 CPKIFCRLPtr crl;
00676                 if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00677                     crl = (*pos)->GetCRL();
00678                 else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00679                     crl = (*pos)->GetDeltaCRL();
00680 
00681                 if(crl)
00682                     cu->AddCRL(crl, emptyGN);
00683             }
00684         }
00685     }
00686 }
00695 void CertPathWantBackToResultsAndStores(
00697     CPKIFBufferPtr& certPathWB,
00699     CPKIFBufferPtr& revInfoWB,
00701     CPKIFCertificatePath& path,
00703     IPKIFScvpClient* scvpClient,
00705     CPKIFPathValidationResults& results,
00706     IPKIFColleague* iCol
00707     )
00708 {
00709     bool rootFound = false;
00710     //the certPathWB is required and must contain a CertBundle.  decode it.
00711     CPKIFCertBundle certBundle;
00712     certBundle.Decode(certPathWB);
00713 
00714     //the bundle should have some certs in it, if it doesn't, move on
00715     CPKIFCertificateListPtr bundle;
00716     certBundle.GetCertList(bundle);
00717     if(!bundle || bundle->empty())
00718         return;
00719 
00720     //revInfoWB is optional.  if not NULL, parse it.
00721     CPKIFRevocationInfoListPtr revInfos;
00722     if(revInfoWB)
00723         revInfos = GetRevInfos(revInfoWB);
00724 
00725     IPKIFCertRepositoryUpdate* cu1 = NULL, *cu2 = NULL;
00726     IPKIFMediatorPtr curMed = scvpClient->GetMediator();
00727     if(curMed)
00728         cu1 = curMed->GetMediator<IPKIFCertRepositoryUpdate>();
00729     if(iCol)
00730         cu2 = iCol->GetMediator<IPKIFCertRepositoryUpdate>();
00731 
00732     //try to suss out what the root is
00733     CPKIFCertificatePtr issuedByTheRoot = bundle->back();
00734 
00735     //grab mediator set and see if there's a crypto raw interface in there
00736     IPKIFCryptoRawOperations* iCryptoRaw = NULL;
00737     IPKIFMediatorPtr m = scvpClient->GetMediator();
00738     if(m)
00739         iCryptoRaw = m->GetMediator<IPKIFCryptoRawOperations>();
00740 
00741     //see if we have a val pol response.  the trust anchor ought to be in there.
00742     CPKIFContentInfoPtr encVpr = scvpClient->GetValPol();
00743     if(encVpr)
00744     {
00745         CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
00746         if(vpr)
00747         {
00748             IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
00749             if(tr)
00750             {
00751                 path.SetTrustRoot(tr);
00752                 rootFound = true;
00753             }
00754         }
00755     }
00756 
00757     //second, if we didn't find it in the val pol response, see if it's in an available trust store.
00758     if(m && !rootFound )
00759     {
00760         IPKIFTrustCache* trustStore = m->GetMediator<IPKIFTrustCache>();
00761         if(trustStore && iCryptoRaw)
00762         {
00763             CPKIFNamePtr issuerName = issuedByTheRoot->Issuer();
00764 
00765             IPKIFTrustAnchorList roots;
00766             trustStore->GetTrustRoots(issuerName, roots);
00767 
00768             IPKIFTrustAnchorList::iterator pos;
00769             IPKIFTrustAnchorList::iterator end = roots.end();
00770             for(pos = roots.begin(); pos != end; ++pos)
00771             {
00772                 CPKIFTrustRootPtr tr = dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(*pos);
00773                 if(tr)
00774                 {
00775                     CPKIFCertificatePtr issCert;
00776                     tr->GetCert(issCert);
00777                     if(issCert && iCryptoRaw->VerifyCertificate(*issCert, *issuedByTheRoot))
00778                     {
00779                         path.SetTrustRoot(*pos);
00780                         rootFound = true;
00781                     }
00782                 }
00783             }
00784         }
00785     }
00786 
00787     //third, if we still haven't found it and don't have a val pol response, get one and look in it.
00788     if(!encVpr && !rootFound)
00789     {
00790         //kick the client to fetch a val pol response
00791         encVpr = scvpClient->FetchValPol();
00792         if(encVpr)
00793         {
00794             //we got a one, verify it and see if our root is in there 
00795             CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
00796             if(vpr)
00797             {
00798                 IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
00799                 if(tr)
00800                 {
00801                     path.SetTrustRoot(tr);
00802                     rootFound = true;
00803                 }
00804             }
00805         }
00806     }
00807 
00808     //check if responder included root in the bundle.
00809     CPKIFCertificatePtr possibleRoot = bundle->back();
00810 
00811     IPKIFTrustAnchorPtr ta;
00812     path.GetTrustRoot(ta);
00813     CPKIFCertificatePtr rootCert1;
00814 
00815     CPKIFTrustRootPtr tr = boost::dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(ta);
00816     if(tr) 
00817     {
00818         tr->GetCert(rootCert1);
00819         if(rootCert1)
00820         {
00821             if(*rootCert1 == *possibleRoot)
00822                 bundle->pop_back();
00823 
00824             CPKIFCertificatePtr newBack = bundle->back();
00825             
00826             if(!iCryptoRaw->VerifyCertificate(*rootCert1, *newBack))
00827                 return;
00828         }
00829     }
00830 
00831     //declare a node list that will contain the path.  this will be put into the path parameter.
00832     CPKIFCertificateNodeList builtPath;
00833 
00834     CPKIFCertificateList::reverse_iterator pos;
00835     CPKIFCertificateList::reverse_iterator end = bundle->rend();
00836     for(pos = bundle->rbegin(); pos != end; ++pos)
00837     {
00838 
00839         if(cu1)
00840             cu1->AddCertificate(CA, *pos);
00841         if(cu2)
00842             cu2->AddCertificate(CA, *pos);
00843             
00844         //create a new node...
00845         CPKIFCertificateNodeEntryPtr node(new CPKIFCertificateNodeEntry);
00846 
00847         //and stuff the current cert in it
00848         node->SetCert((*pos));
00849         node->SetSource(REMOTE);
00850         CPKIFCertStatusPtr newStatus(new CPKIFCertStatus);
00851         node->SetStatus(newStatus);
00852 
00853         //then create a status object and initialize some of the values
00854         CPKIFCertStatusPtr status(new CPKIFCertStatus);
00855         node->SetStatus(status);
00856         status->SetDiagnosticCode(0);
00857         status->SetIsTrustAnchor(false);
00858 
00859         status->SetSignatureVerified(results.GetCertSignaturesVerified());
00860         status->SetRevocationStatus(SERVER_CHECKED);
00861         status->SetPassedValidationChecks(results.GetBasicChecksSuccessfullyPerformed());
00862 
00863         //if we have revInfos, see if any of them correspond to this cert
00864         if(revInfos)
00865             AssociateRevInfoWithCertStatusIfPossible(revInfos, status, (*pos));
00866 
00867         //push it into the list that will be stored in the path object
00868         builtPath.push_back(node);
00869     }
00870     path.SetPath(builtPath);
00871 
00872     return;
00873 }
00882 bool CertPathWantBackToResultsAndStoresForDpd(
00884     CPKIFBufferPtr& certPathWB,
00886     CPKIFBufferPtr& revInfoWB,
00888     CPKIFCertificatePath& path,
00890     IPKIFScvpClient* scvpClient,
00891     IPKIFColleague* iCol
00892     )
00893 {
00894     //the certPathWB is required and must contain a CertBundle.  decode it.
00895     CPKIFCertBundle certBundle;
00896     certBundle.Decode(certPathWB);
00897 
00898     //the bundle should have some certs in it, if it doesn't, move on
00899     CPKIFCertificateListPtr bundle;
00900     certBundle.GetCertList(bundle);
00901     if(!bundle || bundle->empty())
00902         return false;
00903 
00904     IPKIFCertRepositoryUpdate* cu1 = NULL, *cu2 = NULL;
00905     IPKIFMediatorPtr curMed = scvpClient->GetMediator();
00906     if(curMed)
00907         cu1 = curMed->GetMediator<IPKIFCertRepositoryUpdate>();
00908     if(iCol)
00909         cu2 = iCol->GetMediator<IPKIFCertRepositoryUpdate>();
00910 
00911     //revInfoWB is optional.  if not NULL, parse it.
00912     CPKIFRevocationInfoListPtr revInfos;
00913     if(revInfoWB)
00914     {
00915         revInfos = GetRevInfos(revInfoWB);
00916         IPKIFMediatorPtr m = scvpClient->GetMediator();
00917         if(m)
00918         {
00919             IPKIFCRLRepositoryUpdate* cu = m->GetMediator<IPKIFCRLRepositoryUpdate>();
00920             if(cu && revInfos)
00921             {   
00922                 CPKIFGeneralNamePtr emptyDP;
00923                 CPKIFRevocationInfoList::iterator pos;
00924                 CPKIFRevocationInfoList::iterator end = revInfos->end();
00925                 for(pos = revInfos->begin(); pos != end; ++pos)
00926                 {
00927                     CPKIFCRLPtr crl;
00928                     if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00929                     {
00930                         crl = (*pos)->GetCRL();
00931                     }
00932                     else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00933                     {
00934                         crl = (*pos)->GetDeltaCRL();
00935                     }
00936 
00937                     if(crl)
00938                     {
00939                         try
00940                         {
00941                             cu->AddCRL(crl, emptyDP);
00942                         }
00943                         catch(...)
00944                         {
00945                             //not concerned with errors storing results in local stores
00946                         }
00947                     }
00948                 }
00949             }
00950         }
00951     }
00952 
00953     //declare a node list that will contain the path.  this will be put into the path parameter.
00954     CPKIFCertificateNodeList builtPath;
00955 
00956     CPKIFCertificateList::reverse_iterator pos;
00957     CPKIFCertificateList::reverse_iterator end = bundle->rend();
00958     for(pos = bundle->rbegin(); pos != end; ++pos)
00959     {
00960         if(cu1)
00961         {
00962             try
00963             {
00964                 cu1->AddCertificate(CA, *pos);
00965             }
00966             catch(...)
00967             {
00968                 //not concerned with errors storing results in local stores
00969             }
00970         }
00971         if(cu2)
00972         {
00973             try
00974             {
00975                 cu2->AddCertificate(CA, *pos);
00976             }
00977             catch(...)
00978             {
00979                 //not concerned with errors storing results in local stores
00980             }
00981         }
00982 
00983         //create a new node...
00984         CPKIFCertificateNodeEntryPtr node(new CPKIFCertificateNodeEntry);
00985 
00986         //and stuff the current cert in it
00987         node->SetCert((*pos));
00988         node->SetSource(REMOTE);
00989         CPKIFCertStatusPtr newStatus(new CPKIFCertStatus);
00990         node->SetStatus(newStatus);
00991 
00992         //push it into the list that will be stored in the path object
00993         builtPath.push_back(node);
00994     }
00995     path.SetPath(builtPath);
00996 
00997     //try to suss out what the root is
00998     CPKIFCertificatePtr issuedByTheRoot = bundle->back();
00999 
01000     //grab mediator set and see if there's a crypto raw interface in there
01001     IPKIFCryptoRawOperations* iCryptoRaw = NULL;
01002     IPKIFMediatorPtr m = scvpClient->GetMediator();
01003     if(m)
01004         iCryptoRaw = m->GetMediator<IPKIFCryptoRawOperations>();
01005 
01006     //see if we have a val pol response.  the trust anchor ought to be in there.
01007     CPKIFContentInfoPtr encVpr = scvpClient->GetValPol();
01008     if(encVpr)
01009     {
01010         CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
01011         if(vpr)
01012         {
01013             IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
01014             if(tr)
01015             {
01016                 path.SetTrustRoot(tr);
01017                 return true;
01018             }
01019         }
01020     }
01021 
01022     //second, if we didn't find it in the val pol response, see if it's in an available trust store.
01023     if(m)
01024     {
01025         IPKIFTrustCache* trustStore = m->GetMediator<IPKIFTrustCache>();
01026         if(trustStore && iCryptoRaw)
01027         {
01028             CPKIFNamePtr issuerName = issuedByTheRoot->Issuer();
01029 
01030             IPKIFTrustAnchorList roots;
01031             trustStore->GetTrustRoots(issuerName, roots);
01032 
01033             IPKIFTrustAnchorList::iterator pos;
01034             IPKIFTrustAnchorList::iterator end = roots.end();
01035             for(pos = roots.begin(); pos != end; ++pos)
01036             {
01037                 CPKIFTrustRootPtr tr = dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(*pos);
01038                 if(tr)
01039                 {
01040                     CPKIFCertificatePtr issCert;
01041                     tr->GetCert(issCert);
01042                     if(issCert && iCryptoRaw->VerifyCertificate(*issCert, *issuedByTheRoot))
01043                     {
01044                         path.SetTrustRoot(*pos);
01045                         return true;
01046                     }
01047                 }
01048             }
01049         }
01050     }
01051 
01052     //third, if we still haven't found it and don't have a val pol response, get one and look in it.
01053     if(!encVpr)
01054     {
01055         //kick the client to fetch a val pol response
01056         encVpr = scvpClient->FetchValPol();
01057         if(encVpr)
01058         {
01059             //we got a one, verify it and see if our root is in there
01060             CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
01061             if(vpr)
01062             {
01063                 IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
01064                 if(tr)
01065                 {
01066                     path.SetTrustRoot(tr);
01067                     return true;
01068                 }
01069             }
01070         }
01071     }
01072 
01073     return false;
01074 }
01075 

Generated on Mon Nov 15 11:15:56 2010 for PublicKeyInfrastructureFramework(PKIF) by  doxygen 1.5.6