00001
00010
00011 #include "pkif.h"
00012 #include "PKIFCryptUtils.h"
00013
00014
00015 #include "CertBundle.h"
00016 #include "CertReferences.h"
00017 #include "IPKIFScvpClient.h"
00018 #include "PKCReference.h"
00019 #include "ReplyWantBack.h"
00020 #include "RevocationInfo.h"
00021 #include "RevInfoWantBack.h"
00022 #include "ValidationPolicy.h"
00023 #include "ValPolResponse.h"
00024
00025
00026 #include "ERSConstants.h"
00027 #include "EvidenceRecord.h"
00028 #include "EvidenceRecordBundle.h"
00029 #include "EvidenceRecordVerifier.h"
00030
00031 #include <cstring>
00032
00033 using namespace boost;
00034 using namespace std;
00042 CPKIFRevocationInfoListPtr PKIFSCVP_API GetRevInfos(CPKIFBufferPtr& revInfoWB)
00043 {
00044 CPKIFRevocationInfoListPtr empty;
00045 if(!revInfoWB)
00046 return empty;
00047
00048 try
00049 {
00050 CPKIFRevInfoWantBack revInfo(revInfoWB);
00051 CPKIFRevocationInfoListPtr revInfos;
00052 revInfo.GetRevInfos(revInfos);
00053 return revInfos;
00054 }
00055 catch(...)
00056 {
00057 return empty;
00058 }
00059 }
00067 bool CrlCoversCert(
00069 CPKIFCRLPtr& crl,
00071 CPKIFCertificatePtr& cert)
00072 {
00073 CPKIFNamePtr crlIssuer = crl->Issuer();
00074 CPKIFNamePtr certIssuer = cert->Issuer();
00075 CPKIFCRLDistributionPointsPtr cdp = cert->GetExtension<CPKIFCRLDistributionPoints>();
00076 CPKIFIssuingDistributionPointPtr idp = crl->GetExtension<CPKIFIssuingDistributionPoint>();
00077 if(!idp && (*certIssuer == *crlIssuer))
00078 return true;
00079 else if(idp && cdp)
00080 {
00081 CPKIFDistributionPointNamePtr dp = idp->DistributionPoint();
00082 CPKIFCRLDistributionPointListPtr dps = cdp->DPs();
00083 if(dp && dps)
00084 {
00085 CPKIFCRLDistributionPointList::iterator pos;
00086 CPKIFCRLDistributionPointList::iterator end = dps->end();
00087 for(pos = dps->begin(); pos != end; ++pos)
00088 {
00089 CPKIFDistributionPointNamePtr posDP = (*pos)->DistributionPoint();
00090 if((*posDP) == *dp)
00091 return true;
00092 }
00093 }
00094 }
00095
00096 return false;
00097 }
00098
00110 CPKIFBufferPtr _HashIssuerName(
00112 const CPKIFCertificate& cert,
00114 IPKIFCryptoMisc* cMisc)
00115 {
00116
00117 CPKIFNamePtr issuerName = cert.Issuer();
00118 if(issuerName == (CPKIFName*)NULL)
00119 throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_INVALID_INPUT,"Invalid cert passed to issuer name hashing function");
00120
00121
00122 CPKIFBufferPtr tmp = issuerName->Encoded();
00123
00124
00125 IPKIFHashContext* hi = cMisc->HashInit(PKIFCRYPTO::SHA1);
00126 if(NULL == hi)
00127 throw CPKIFException(TOOLKIT_OCSP_CHECKER,COMMON_UNSUPPORTED_ALG,"");
00128
00129
00130 int hashResultLen = MAXHASH;
00131 unsigned char* hashResult = NULL;
00132
00133 try
00134 {
00135 hashResult = new unsigned char[MAXHASH];
00136 }
00137 catch(std::bad_alloc& ba)
00138 {
00139 delete hi;
00140 throw ba;
00141 }
00142
00143 try
00144 {
00145 cMisc->HashUpdate(hi, (unsigned char*)tmp->GetBuffer(), tmp->GetLength());
00146 cMisc->HashFinal(hi, hashResult, &hashResultLen);
00147 }
00148 catch(CPKIFException& e)
00149 {
00150 delete hi;
00151 delete[] hashResult;
00152 throw e;
00153 }
00154 delete hi;
00155
00156 CPKIFBufferPtr issuerNameHash(new CPKIFBuffer(true, hashResult, hashResultLen));
00157 return issuerNameHash;
00158 }
00159
00167 bool _CertIDMatchesCert(
00169 CPKIFCertIDPtr& cid,
00171 const CPKIFCertificate& cert,
00173 IPKIFCryptoMisc* m)
00174 {
00175 LOG_STRING_DEBUG("_CertIDMatchesCert", TOOLKIT_OCSP_CHECKER, 0, NULL);
00176
00177
00178 const char* cidSN = cid->GetSerialNumber();
00179 const char* certSN = cert.SerialNumber();
00180
00181
00182
00183 if(NULL == cidSN || NULL == certSN || strlen(cidSN) != strlen(certSN) ||
00184 0 != stricmp(cidSN, certSN))
00185 return false;
00186
00187
00188 CPKIFBufferPtr certHashBuf = _HashIssuerName(cert, m);
00189 CPKIFBufferPtr cidHashBuf = cid->GetIssuerNameHash();
00190
00191
00192 if(!(*certHashBuf == *cidHashBuf))
00193 return false;
00194
00195
00196 return true;
00197 }
00205 bool OcspResponseCoversCertificate(
00207 CPKIFOCSPResponsePtr& ocsp,
00209 CPKIFCertificatePtr& cert)
00210 {
00211 IPKIFCryptoMisc* cryptoMisc = GetPlatformCryptoMisc();
00212
00213 CPKIFResponseBytesPtr responseBytes = ocsp->GetResponseBytes();
00214 if(responseBytes == (CPKIFResponseBytes*)NULL)
00215 {
00216 return false;
00217 }
00218
00219
00220 if(!(*g_ocspBasic == responseBytes->GetResponseType()))
00221 {
00222 return false;
00223 }
00224
00225
00226 CPKIFBufferPtr responseBuf = responseBytes->GetResponse();
00227
00228
00229 CPKIFBasicOCSPResponsePtr basicOCSPResponse(new CPKIFBasicOCSPResponse);
00230 basicOCSPResponse->Decode(responseBuf);
00231
00232 CPKIFResponseDataPtr responseData = basicOCSPResponse->GetResponseData();
00233
00234 CPKIFSingleResponseList responses;
00235 responseData->GetResponses(responses);
00236
00237 CPKIFSingleResponseList::iterator pos;
00238 CPKIFSingleResponseList::iterator end = responses.end();
00239 CPKIFSingleResponsePtr targetResponse;
00240 for(pos = responses.begin(); pos != end; ++pos)
00241 {
00242
00243
00244
00245 CPKIFCertIDPtr cid = (*pos)->GetCertID();
00246 if(_CertIDMatchesCert(cid, *cert, cryptoMisc))
00247 {
00248 targetResponse = *pos;
00249 return true;
00250 }
00251 }
00252
00253 return false;
00254 }
00255
00266 void AssociateRevInfoWithCertStatusIfPossible(
00268 CPKIFRevocationInfoListPtr& revInfos,
00270 CPKIFCertStatusPtr& status,
00272 CPKIFCertificatePtr& cert)
00273 {
00274 CPKIFCRLInfoPtr crlInfo;
00275 CPKIFOCSPInfoPtr ocspInfo;
00276 CPKIFRevocationInfoList::iterator pos;
00277 CPKIFRevocationInfoList::iterator end = revInfos->end();
00278 for(pos = revInfos->begin(); pos != end; ++pos)
00279 {
00280
00281
00282 REVINFOTYPE rit = (*pos)->GetRevInfoType();
00283 switch(rit)
00284 {
00285 case REVINFOTYPE_CRL:
00286 {
00287 CPKIFCRLPtr crl = (*pos)->GetCRL();
00288 if(CrlCoversCert(crl, cert))
00289 {
00290 if(!crlInfo)
00291 {
00292 CPKIFCRLInfoPtr tmp(new CPKIFCRLInfo);
00293 crlInfo = tmp;
00294 }
00295 crlInfo->AddCRL(crl);
00296 }
00297 break;
00298 }
00299 case REVINFOTYPE_DELTACRL:
00300 {
00301 CPKIFCRLPtr crl = (*pos)->GetDeltaCRL();
00302 if(CrlCoversCert(crl, cert))
00303 {
00304 if(!crlInfo)
00305 {
00306 CPKIFCRLInfoPtr tmp(new CPKIFCRLInfo);
00307 crlInfo = tmp;
00308 }
00309 crlInfo->AddCRL(crl);
00310 }
00311 break;
00312 }
00313 case REVINFOTYPE_OCSPRESP:
00314 {
00315 CPKIFBufferPtr ocspRespBuf = (*pos)->GetOCSPResp();
00316 CPKIFOCSPResponsePtr ocspResp(new CPKIFOCSPResponse);
00317 ocspResp->Decode(ocspRespBuf);
00318 if(OcspResponseCoversCertificate(ocspResp, cert))
00319 {
00320 if(!ocspInfo)
00321 {
00322 CPKIFOCSPInfoPtr tmp(new CPKIFOCSPInfo);
00323 ocspInfo = tmp;
00324 }
00325 ocspInfo->SetOCSPResponse(ocspResp);
00326 }
00327 break;
00328 }
00329 case REVINFOTYPE_OTHER:
00330
00331 break;
00332 case REVINFOTYPE_NONE:
00333 default:
00334
00335 break;
00336 }
00337 }
00338
00339 if(crlInfo && status)
00340 {
00341 status->AddRevocationSource(REVSOURCE_CRL, REV_INFO_CAST(crlInfo), SERVER_CHECKED, 0);
00342 }
00343
00344 if(ocspInfo && status)
00345 {
00346 status->AddRevocationSource(REVSOURCE_OCSP, REV_INFO_CAST(ocspInfo), SERVER_CHECKED, 0);
00347 }
00348 }
00356 CPKIFTrustRootPtr GetTrustRootFromValPol(
00358 CPKIFValPolResponsePtr& vpr,
00360 CPKIFCertificatePtr& issuedByTheRoot,
00362 IPKIFCryptoRawOperations* cryptoRaw)
00363 {
00364 CPKIFTrustRootPtr empty;
00365 if(!vpr || !issuedByTheRoot || !cryptoRaw)
00366 return empty;
00367
00368 CPKIFValidationPolicyPtr valPol = vpr->GetRespValidationPolicy();
00369 if(!valPol)
00370 return empty;
00371
00372 CPKIFPKCReferenceListPtr tas;
00373 valPol->GetTAs(tas);
00374
00375 if(!tas || tas->empty())
00376 return empty;
00377
00378 CPKIFNamePtr issuerName = issuedByTheRoot->Issuer();
00379
00380 CPKIFPKCReferenceList::iterator pos;
00381 CPKIFPKCReferenceList::iterator end = tas->end();
00382 for(pos = tas->begin(); pos != end; ++pos)
00383 {
00384 CPKIFCertificatePtr cert = (*pos)->GetCert();
00385 CPKIFNamePtr subjectName = cert->Subject();
00386
00387 if(*issuerName == *subjectName &&
00388 cryptoRaw->VerifyCertificate(*cert, *issuedByTheRoot))
00389 {
00390 CPKIFTrustRootPtr tr(new CPKIFTrustRoot);
00391 tr->SetCert(cert);
00392 return tr;
00393 }
00394 }
00395
00396 return empty;
00397 }
00405 void AssociateEvidenceRecordResultsWithWantBack(
00407 SeqResultsPtr& seqResults,
00409 CPKIFOIDPtr& wantBackType,
00411 CPKIFReplyWantBack_ExtDataHandlerPtr& wantBacks)
00412 {
00413 if(!wantBacks || !wantBackType || !seqResults)
00414 return;
00415
00416 std::vector<std::pair<CPKIFReplyWantBackPtr, vector<SeqResultsPtr> > >::iterator pos;
00417 std::vector<std::pair<CPKIFReplyWantBackPtr, vector<SeqResultsPtr> > >::iterator end = wantBacks->m_wantBacks.end();
00418 for(pos = wantBacks->m_wantBacks.begin(); pos != end; ++pos)
00419 {
00420 if(*wantBackType == *((*pos).first->GetWB()))
00421 {
00422 (*pos).second.push_back(seqResults);
00423 return;
00424 }
00425 }
00426 }
00434 void VerifyCertPathWB_ER(
00436 CPKIFBufferPtr& bestCertPathWB,
00438 CPKIFBufferPtr& bestCertPathWB_ER,
00440 CPKIFCertificatePath& path,
00442 IPKIFScvpClient* scvpClient
00443 )
00444 {
00445 if(!bestCertPathWB || 0 == bestCertPathWB->GetLength() || NULL == bestCertPathWB->GetBuffer())
00446 return;
00447 if(!bestCertPathWB_ER || 0 == bestCertPathWB_ER->GetLength() || NULL == bestCertPathWB_ER->GetBuffer())
00448 return;
00449
00450 CPKIFCertBundle certBundle;
00451 certBundle.Decode(bestCertPathWB);
00452
00453 CPKIFEvidenceRecordPtr er(new CPKIFEvidenceRecord);
00454 er->Decode(bestCertPathWB_ER);
00455
00456 CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00457 erv->SetDataComplete(bestCertPathWB);
00458 SeqResultsPtr seqResults = erv->Verify(er);
00459
00460 CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00461 AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsBestCertPath, wantBacks);
00462 }
00470 void VerifyPartialPathWB_ER(
00472 CPKIFBufferPtr& partialPathWB,
00474 CPKIFBufferPtr& partialPathWB_ER,
00476 CPKIFCertificatePath& path,
00478 IPKIFScvpClient* scvpClient
00479 )
00480 {
00481 if(!partialPathWB || 0 == partialPathWB->GetLength() || NULL == partialPathWB->GetBuffer())
00482 return;
00483 if(!partialPathWB_ER || 0 == partialPathWB_ER->GetLength() || NULL == partialPathWB_ER->GetBuffer())
00484 return;
00485
00486 CPKIFCertBundle certBundle;
00487 certBundle.Decode(partialPathWB);
00488
00489 CPKIFEvidenceRecordPtr er(new CPKIFEvidenceRecord);
00490 er->Decode(partialPathWB_ER);
00491
00492 CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00493 erv->SetDataComplete(partialPathWB);
00494 SeqResultsPtr seqResults;
00495
00496 try
00497 {
00498 seqResults = erv->Verify(er);
00499 }
00500 catch(...)
00501 {
00502 }
00503
00504 CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00505 AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsPartialCertPath, wantBacks);
00506 }
00514 void VerifyRevInfoWB_ER(
00516 CPKIFBufferPtr& revInfoWB,
00518 CPKIFBufferPtr& revInfoWB_ER,
00520 CPKIFCertificatePath& path,
00522 IPKIFScvpClient* scvpClient
00523 )
00524 {
00525 if(!revInfoWB || 0 == revInfoWB->GetLength() || NULL == revInfoWB->GetBuffer())
00526 return;
00527 if(!revInfoWB_ER || 0 == revInfoWB_ER->GetLength() || NULL == revInfoWB_ER->GetBuffer())
00528 return;
00529
00530 CPKIFRevocationInfoListPtr revInfos;
00531 revInfos = GetRevInfos(revInfoWB);
00532
00533 if(revInfos)
00534 {
00535 CPKIFEvidenceRecordBundle er;
00536 er.Decode(revInfoWB_ER);
00537
00538 CPKIFEvidenceRecordListPtr ers(new CPKIFEvidenceRecordList);
00539 er.GetERList(ers);
00540
00541 CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00542
00543 if(!ers || revInfos->size() != ers->size())
00544 return;
00545
00546 CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00547
00548 CPKIFRevocationInfoList::iterator begin = revInfos->begin();
00549 CPKIFRevocationInfoList::iterator pos;
00550 CPKIFRevocationInfoList::iterator end = revInfos->end();
00551 for(pos = revInfos->begin(); pos != end; ++pos)
00552 {
00553 CPKIFCRLPtr crl;
00554 if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00555 crl = (*pos)->GetCRL();
00556 else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00557 crl = (*pos)->GetDeltaCRL();
00558 else
00559 continue;
00560
00561 CPKIFEvidenceRecordPtr er = (*ers)[distance(begin, pos)];
00562 CPKIFBufferPtr encRevInfo = crl->Encoded();
00563 erv->SetDataComplete(encRevInfo);
00564 SeqResultsPtr seqResults;
00565
00566 try
00567 {
00568 seqResults = erv->Verify(er);
00569 }
00570 catch(...)
00571 {
00572 }
00573
00574 AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsRevocationInfo, wantBacks);
00575 }
00576 }
00577 }
00585 void VerifyPKCCertWB_ER(
00587 CPKIFCertificatePtr& pkcCert,
00589 CPKIFBufferPtr& pkcCertWB_ER,
00591 CPKIFCertificatePath& path,
00593 IPKIFScvpClient* scvpClient
00594 )
00595 {
00596 if(!pkcCertWB_ER || 0 == pkcCertWB_ER->GetLength() || NULL == pkcCertWB_ER->GetBuffer())
00597 return;
00598
00599 CPKIFEvidenceRecordPtr er(new CPKIFEvidenceRecord);
00600 er->Decode(pkcCertWB_ER);
00601
00602 CPKIFEvidenceRecordVerifierPtr erv = scvpClient->GetEvidenceRecordVerifier();
00603 CPKIFBufferPtr encCert = pkcCert->Encoded();
00604 erv->SetDataComplete(encCert);
00605 SeqResultsPtr seqResults;
00606
00607 try
00608 {
00609 seqResults = erv->Verify(er);
00610 }
00611 catch(...)
00612 {
00613 }
00614
00615 CPKIFReplyWantBack_ExtDataHandlerPtr wantBacks = scvpClient->GetWantBacksFromResponse();
00616 AssociateEvidenceRecordResultsWithWantBack(seqResults, g_idSwbErsPkcCert, wantBacks);
00617 }
00625 void StickCrlsFromWantBackInCrlStore(
00627 CPKIFBufferPtr& revInfoWB,
00629 IPKIFScvpClient* scvpClient,
00631 IPKIFColleague* iCol)
00632 {
00633 IPKIFMediatorPtr curMed = scvpClient->GetMediator();
00634 if(curMed)
00635 {
00636 IPKIFCRLRepositoryUpdate* cu = curMed->GetMediator<IPKIFCRLRepositoryUpdate>();
00637 if(cu)
00638 {
00639 CPKIFRevocationInfoListPtr revInfos;
00640 revInfos = GetRevInfos(revInfoWB);
00641 if(!revInfos)
00642 return;
00643
00644 CPKIFGeneralNamePtr emptyGN;
00645 CPKIFRevocationInfoList::iterator pos;
00646 CPKIFRevocationInfoList::iterator end = revInfos->end();
00647 for(pos = revInfos->begin(); pos != end; ++pos)
00648 {
00649 CPKIFCRLPtr crl;
00650 if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00651 crl = (*pos)->GetCRL();
00652 else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00653 crl = (*pos)->GetDeltaCRL();
00654
00655 if(crl)
00656 cu->AddCRL(crl, emptyGN);
00657 }
00658 }
00659 }
00660 if(iCol)
00661 {
00662 IPKIFCRLRepositoryUpdate* cu = iCol->GetMediator<IPKIFCRLRepositoryUpdate>();
00663 if(cu)
00664 {
00665 CPKIFRevocationInfoListPtr revInfos;
00666 revInfos = GetRevInfos(revInfoWB);
00667 if(!revInfos)
00668 return;
00669
00670 CPKIFGeneralNamePtr emptyGN;
00671 CPKIFRevocationInfoList::iterator pos;
00672 CPKIFRevocationInfoList::iterator end = revInfos->end();
00673 for(pos = revInfos->begin(); pos != end; ++pos)
00674 {
00675 CPKIFCRLPtr crl;
00676 if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00677 crl = (*pos)->GetCRL();
00678 else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00679 crl = (*pos)->GetDeltaCRL();
00680
00681 if(crl)
00682 cu->AddCRL(crl, emptyGN);
00683 }
00684 }
00685 }
00686 }
00695 void CertPathWantBackToResultsAndStores(
00697 CPKIFBufferPtr& certPathWB,
00699 CPKIFBufferPtr& revInfoWB,
00701 CPKIFCertificatePath& path,
00703 IPKIFScvpClient* scvpClient,
00705 CPKIFPathValidationResults& results,
00706 IPKIFColleague* iCol
00707 )
00708 {
00709 bool rootFound = false;
00710
00711 CPKIFCertBundle certBundle;
00712 certBundle.Decode(certPathWB);
00713
00714
00715 CPKIFCertificateListPtr bundle;
00716 certBundle.GetCertList(bundle);
00717 if(!bundle || bundle->empty())
00718 return;
00719
00720
00721 CPKIFRevocationInfoListPtr revInfos;
00722 if(revInfoWB)
00723 revInfos = GetRevInfos(revInfoWB);
00724
00725 IPKIFCertRepositoryUpdate* cu1 = NULL, *cu2 = NULL;
00726 IPKIFMediatorPtr curMed = scvpClient->GetMediator();
00727 if(curMed)
00728 cu1 = curMed->GetMediator<IPKIFCertRepositoryUpdate>();
00729 if(iCol)
00730 cu2 = iCol->GetMediator<IPKIFCertRepositoryUpdate>();
00731
00732
00733 CPKIFCertificatePtr issuedByTheRoot = bundle->back();
00734
00735
00736 IPKIFCryptoRawOperations* iCryptoRaw = NULL;
00737 IPKIFMediatorPtr m = scvpClient->GetMediator();
00738 if(m)
00739 iCryptoRaw = m->GetMediator<IPKIFCryptoRawOperations>();
00740
00741
00742 CPKIFContentInfoPtr encVpr = scvpClient->GetValPol();
00743 if(encVpr)
00744 {
00745 CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
00746 if(vpr)
00747 {
00748 IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
00749 if(tr)
00750 {
00751 path.SetTrustRoot(tr);
00752 rootFound = true;
00753 }
00754 }
00755 }
00756
00757
00758 if(m && !rootFound )
00759 {
00760 IPKIFTrustCache* trustStore = m->GetMediator<IPKIFTrustCache>();
00761 if(trustStore && iCryptoRaw)
00762 {
00763 CPKIFNamePtr issuerName = issuedByTheRoot->Issuer();
00764
00765 IPKIFTrustAnchorList roots;
00766 trustStore->GetTrustRoots(issuerName, roots);
00767
00768 IPKIFTrustAnchorList::iterator pos;
00769 IPKIFTrustAnchorList::iterator end = roots.end();
00770 for(pos = roots.begin(); pos != end; ++pos)
00771 {
00772 CPKIFTrustRootPtr tr = dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(*pos);
00773 if(tr)
00774 {
00775 CPKIFCertificatePtr issCert;
00776 tr->GetCert(issCert);
00777 if(issCert && iCryptoRaw->VerifyCertificate(*issCert, *issuedByTheRoot))
00778 {
00779 path.SetTrustRoot(*pos);
00780 rootFound = true;
00781 }
00782 }
00783 }
00784 }
00785 }
00786
00787
00788 if(!encVpr && !rootFound)
00789 {
00790
00791 encVpr = scvpClient->FetchValPol();
00792 if(encVpr)
00793 {
00794
00795 CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
00796 if(vpr)
00797 {
00798 IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
00799 if(tr)
00800 {
00801 path.SetTrustRoot(tr);
00802 rootFound = true;
00803 }
00804 }
00805 }
00806 }
00807
00808
00809 CPKIFCertificatePtr possibleRoot = bundle->back();
00810
00811 IPKIFTrustAnchorPtr ta;
00812 path.GetTrustRoot(ta);
00813 CPKIFCertificatePtr rootCert1;
00814
00815 CPKIFTrustRootPtr tr = boost::dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(ta);
00816 if(tr)
00817 {
00818 tr->GetCert(rootCert1);
00819 if(rootCert1)
00820 {
00821 if(*rootCert1 == *possibleRoot)
00822 bundle->pop_back();
00823
00824 CPKIFCertificatePtr newBack = bundle->back();
00825
00826 if(!iCryptoRaw->VerifyCertificate(*rootCert1, *newBack))
00827 return;
00828 }
00829 }
00830
00831
00832 CPKIFCertificateNodeList builtPath;
00833
00834 CPKIFCertificateList::reverse_iterator pos;
00835 CPKIFCertificateList::reverse_iterator end = bundle->rend();
00836 for(pos = bundle->rbegin(); pos != end; ++pos)
00837 {
00838
00839 if(cu1)
00840 cu1->AddCertificate(CA, *pos);
00841 if(cu2)
00842 cu2->AddCertificate(CA, *pos);
00843
00844
00845 CPKIFCertificateNodeEntryPtr node(new CPKIFCertificateNodeEntry);
00846
00847
00848 node->SetCert((*pos));
00849 node->SetSource(REMOTE);
00850 CPKIFCertStatusPtr newStatus(new CPKIFCertStatus);
00851 node->SetStatus(newStatus);
00852
00853
00854 CPKIFCertStatusPtr status(new CPKIFCertStatus);
00855 node->SetStatus(status);
00856 status->SetDiagnosticCode(0);
00857 status->SetIsTrustAnchor(false);
00858
00859 status->SetSignatureVerified(results.GetCertSignaturesVerified());
00860 status->SetRevocationStatus(SERVER_CHECKED);
00861 status->SetPassedValidationChecks(results.GetBasicChecksSuccessfullyPerformed());
00862
00863
00864 if(revInfos)
00865 AssociateRevInfoWithCertStatusIfPossible(revInfos, status, (*pos));
00866
00867
00868 builtPath.push_back(node);
00869 }
00870 path.SetPath(builtPath);
00871
00872 return;
00873 }
00882 bool CertPathWantBackToResultsAndStoresForDpd(
00884 CPKIFBufferPtr& certPathWB,
00886 CPKIFBufferPtr& revInfoWB,
00888 CPKIFCertificatePath& path,
00890 IPKIFScvpClient* scvpClient,
00891 IPKIFColleague* iCol
00892 )
00893 {
00894
00895 CPKIFCertBundle certBundle;
00896 certBundle.Decode(certPathWB);
00897
00898
00899 CPKIFCertificateListPtr bundle;
00900 certBundle.GetCertList(bundle);
00901 if(!bundle || bundle->empty())
00902 return false;
00903
00904 IPKIFCertRepositoryUpdate* cu1 = NULL, *cu2 = NULL;
00905 IPKIFMediatorPtr curMed = scvpClient->GetMediator();
00906 if(curMed)
00907 cu1 = curMed->GetMediator<IPKIFCertRepositoryUpdate>();
00908 if(iCol)
00909 cu2 = iCol->GetMediator<IPKIFCertRepositoryUpdate>();
00910
00911
00912 CPKIFRevocationInfoListPtr revInfos;
00913 if(revInfoWB)
00914 {
00915 revInfos = GetRevInfos(revInfoWB);
00916 IPKIFMediatorPtr m = scvpClient->GetMediator();
00917 if(m)
00918 {
00919 IPKIFCRLRepositoryUpdate* cu = m->GetMediator<IPKIFCRLRepositoryUpdate>();
00920 if(cu && revInfos)
00921 {
00922 CPKIFGeneralNamePtr emptyDP;
00923 CPKIFRevocationInfoList::iterator pos;
00924 CPKIFRevocationInfoList::iterator end = revInfos->end();
00925 for(pos = revInfos->begin(); pos != end; ++pos)
00926 {
00927 CPKIFCRLPtr crl;
00928 if(REVINFOTYPE_CRL == (*pos)->GetRevInfoType())
00929 {
00930 crl = (*pos)->GetCRL();
00931 }
00932 else if(REVINFOTYPE_DELTACRL == (*pos)->GetRevInfoType())
00933 {
00934 crl = (*pos)->GetDeltaCRL();
00935 }
00936
00937 if(crl)
00938 {
00939 try
00940 {
00941 cu->AddCRL(crl, emptyDP);
00942 }
00943 catch(...)
00944 {
00945
00946 }
00947 }
00948 }
00949 }
00950 }
00951 }
00952
00953
00954 CPKIFCertificateNodeList builtPath;
00955
00956 CPKIFCertificateList::reverse_iterator pos;
00957 CPKIFCertificateList::reverse_iterator end = bundle->rend();
00958 for(pos = bundle->rbegin(); pos != end; ++pos)
00959 {
00960 if(cu1)
00961 {
00962 try
00963 {
00964 cu1->AddCertificate(CA, *pos);
00965 }
00966 catch(...)
00967 {
00968
00969 }
00970 }
00971 if(cu2)
00972 {
00973 try
00974 {
00975 cu2->AddCertificate(CA, *pos);
00976 }
00977 catch(...)
00978 {
00979
00980 }
00981 }
00982
00983
00984 CPKIFCertificateNodeEntryPtr node(new CPKIFCertificateNodeEntry);
00985
00986
00987 node->SetCert((*pos));
00988 node->SetSource(REMOTE);
00989 CPKIFCertStatusPtr newStatus(new CPKIFCertStatus);
00990 node->SetStatus(newStatus);
00991
00992
00993 builtPath.push_back(node);
00994 }
00995 path.SetPath(builtPath);
00996
00997
00998 CPKIFCertificatePtr issuedByTheRoot = bundle->back();
00999
01000
01001 IPKIFCryptoRawOperations* iCryptoRaw = NULL;
01002 IPKIFMediatorPtr m = scvpClient->GetMediator();
01003 if(m)
01004 iCryptoRaw = m->GetMediator<IPKIFCryptoRawOperations>();
01005
01006
01007 CPKIFContentInfoPtr encVpr = scvpClient->GetValPol();
01008 if(encVpr)
01009 {
01010 CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
01011 if(vpr)
01012 {
01013 IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
01014 if(tr)
01015 {
01016 path.SetTrustRoot(tr);
01017 return true;
01018 }
01019 }
01020 }
01021
01022
01023 if(m)
01024 {
01025 IPKIFTrustCache* trustStore = m->GetMediator<IPKIFTrustCache>();
01026 if(trustStore && iCryptoRaw)
01027 {
01028 CPKIFNamePtr issuerName = issuedByTheRoot->Issuer();
01029
01030 IPKIFTrustAnchorList roots;
01031 trustStore->GetTrustRoots(issuerName, roots);
01032
01033 IPKIFTrustAnchorList::iterator pos;
01034 IPKIFTrustAnchorList::iterator end = roots.end();
01035 for(pos = roots.begin(); pos != end; ++pos)
01036 {
01037 CPKIFTrustRootPtr tr = dynamic_pointer_cast<CPKIFTrustRoot, IPKIFTrustAnchor>(*pos);
01038 if(tr)
01039 {
01040 CPKIFCertificatePtr issCert;
01041 tr->GetCert(issCert);
01042 if(issCert && iCryptoRaw->VerifyCertificate(*issCert, *issuedByTheRoot))
01043 {
01044 path.SetTrustRoot(*pos);
01045 return true;
01046 }
01047 }
01048 }
01049 }
01050 }
01051
01052
01053 if(!encVpr)
01054 {
01055
01056 encVpr = scvpClient->FetchValPol();
01057 if(encVpr)
01058 {
01059
01060 CPKIFValPolResponsePtr vpr = scvpClient->VerifyValPol();
01061 if(vpr)
01062 {
01063 IPKIFTrustAnchorPtr tr = GetTrustRootFromValPol(vpr, issuedByTheRoot, iCryptoRaw);
01064 if(tr)
01065 {
01066 path.SetTrustRoot(tr);
01067 return true;
01068 }
01069 }
01070 }
01071 }
01072
01073 return false;
01074 }
01075