SignedData.cpp

Go to the documentation of this file.

#include "SignedData.h"
#include "private/PrivatePKIFCMSUtils.h"

#include "Certificate.h"
#include "Buffer.h"
#include "OID.h"
#include "Attribute.h"
#include "EncapsulatedContentInfo.h"
#include "ASN1Helper.h"
#include "ParallelHash.h"
#include "PKIFCMSMessageMemoryHelper.h"
#include "CRL.h"
#include "SignerInfo.h"
#include "AlgorithmIdentifier.h"
#include "GottaMatch.h"
#include "Name.h"
#include "SubjectKeyIdentifier.h"
#include "IssuerNameAndSerialNumberBasedSearch.h"
#include "KeyIDBasedSearch.h"
#include "PKIFFuncStorage.h"
#include "ContentTypeAttribute.h"
#include "PKIFAlgorithm.h"
#include "PKIFBase64.h"
#include "BasicConstraints.h"

#include "IPKIFCryptoRawOperations.h"
#include "IPKIFCertSearch.h"
#include "IPKIFCertRepositoryUpdate.h"
#include "IPKIFPathValidate.h"
#include "IPKIFCRLRepositoryUpdate.h"
#include "IPKIFPathBuild.h"
#include "IPKIFCryptoMisc.h"
#include "IPKIFCryptoKeyIDOperations.h"

// XXX REMOVEME: when new error codes are available
#include "PKIFCAPIErrors.h"
#include "PKIFNSSErrors.h"
#include "PKIFCryptoPPErrors.h"
using namespace std;

using boost::dynamic_pointer_cast;

#include <iterator>
unsigned char nullParams[] = {0x05,0x00};

struct CPKIFSignedDataImpl
{

    CPKIFSignedData* m_parent;
    CPKIFSignedDataImpl () 
    {
        m_parent = NULL;
    }
    CPKIFSignedDataImpl (CPKIFSignedData  *p) 
    {
        m_parent = p;
    }

    CPKIFBufferPtr GetSignersCert(CACCMSSignerInfo* tmpSignerInfo);
    bool _Verify(int signerIndex, CMSVerificationStatus& status, CPKIFCertificatePtr& sc, CMSPathValidationStatus minStatus);
    void GetCandidateSignersCerts(CACCMSSignerInfo* tmpSignerInfo, IPKIFNameAndKeyList& certs);

    //m_signedData contains the baseline contents for the instance.  all other members
    //are added to m_signedData.  thus when creating a new message m_signedData is empty
    //until encode.  when parsing a message m_signedData is filled upon decode.  helper
    //members are populated as fields are accessed.  additional fields may be added via
    //calls to add functions.
    CPKIFASNWrapper<CACCMSSignedData>* m_signedData;
    bool m_bDecodedContent;     //set to true after decoding, set to false when content is added manually

    CPKIFSignedData::CMSVersion m_version;                              //value set by CalculateAndSetVersion
    CCACDigestAlgorithmIdentifiers m_digestAlgorithms;  //used in collection of algs from SignerInfos
    
    CPKIFEncapsulatedContentInfoPtr m_encapContentInfo; 
    CPKIFFuncStoragePtr m_kuChecker;

    //the following two fields may contain: nothing, manually added items, items from decoded message
    //or manually added items plus items from decoded message 
    CPKIFCertificateList m_certificates;                    
    CPKIFCRLList m_crls;
    
    CPKIFSignerInfoList m_signerInfos;  //contains ONLY manually added signer infos that will be used to 
                                    //generate a signature when encode is called.  signer infos from
                                    //a decoded message are not used to generate a signature when 
                                    //encode is called.

    //members related to hashing of data using all associated hash algs
    CPKIFParallelHash m_detachedData;
    bool m_bDetached;   //used to indicate a detached message has been started.  no signer infos
                        //can be added when this is set to true.
    CPKIFBufferPtr m_decodeBuf; //added 10/20/03

    //members related to verification
    CPKIFCertificatePathPtr m_path;
    CPKIFPathValidationResultsPtr m_valResults;
    CPKIFPathSettingsPtr m_settings;
    IPKIFMediatorPtr m_med;

    //*****************************************************************************
    //  private functions
    //*****************************************************************************
    void AddCerts(CACCMSSignedData* signedData);            //adds certs to CACCMSSignedData structure
    void AddCRLs(CACCMSSignedData* signedData);             //adds crls to CACCMSSignedData structure
    void BuildDigestAlgList(CACCMSSignedData* signedData);  //gathers digest algs from SignerInfos
    void AddSignerInfos(CACCMSSignedData* signedData,       //adds SignerInfos to CACCMSSignedData structure
                            IPKIFMediatorPtr& m);
    void RemoveSignerInfos(CACCMSSignedData* signedData);   //removes decoded SignerInfos from CACCMSSignedData structure

    void CalculateAndSetVersion();  //used to set version based on rules in RFC3369

    //CPKIFBufferPtr GetSignersCert(CACCMSSignerInfo* tmpSignerInfo);

    void MakeSignedData();
    void FreeSignedData();
    void CallingAllGets();
};

#define NEW_VERIFY_FUNC 1
//*************************************************************************************************
//  CPKIFParallelHash member functions and related utility functions 
//*************************************************************************************************


//*****************************************************************************
//  constructors, destructors, clear, makzenfree
//*****************************************************************************
CPKIFSignedData::CPKIFSignedData()
    :m_impl (new CPKIFSignedDataImpl)
{
    LOG_STRING_DEBUG("CPKIFSignedData::CPKIFSignedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    m_impl->m_parent = this;
    m_impl->m_bDecodedContent = false;
    m_impl->m_bDetached = false;

    m_impl->m_version = CMSv0;

    m_impl->m_signedData = NULL;
    m_impl->MakeSignedData();

    SetContentType(g_signedData);
}
CPKIFSignedData::~CPKIFSignedData()
{
    LOG_STRING_DEBUG("CPKIFSignedData::~CPKIFSignedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    m_impl->FreeSignedData();

    //RemoveMediatorAssociations();

    delete m_impl;
    m_impl = NULL;
}
void CPKIFSignedData::AddMediator(
    IPKIFMediatorPtr& m)
{
    m_impl->m_med = m;
}
IPKIFMediatorPtr CPKIFSignedData::GetMediator()
{
    return m_impl->m_med;
}
void CPKIFSignedDataImpl::MakeSignedData()
{
    LOG_STRING_DEBUG("CPKIFSignedData::MakeSignedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    FreeSignedData();

    //throw bad_alloc (this function is invoked from the constructor and ClearContent)
    m_signedData = new CPKIFASNWrapper<CACCMSSignedData>( BEREncCACCMSSignedData, BERDecCACCMSSignedData );
}
void CPKIFSignedDataImpl::FreeSignedData()
{
    LOG_STRING_DEBUG("CPKIFSignedData::FreeSignedData()", TOOLKIT_CRYPTO_MISC, 0, this);

    //if we ever do this then we need to reset the m_bDecodedContent flag to false
    //because we no longer have decoded content
    m_bDecodedContent = false; //added 10/17/2003
    if(NULL != m_signedData)
        delete m_signedData;
    m_signedData = NULL;

    CPKIFBufferPtr emptyBP;
    m_decodeBuf = emptyBP;
}
void CPKIFSignedData::ClearContent(
    bool removeMediatorAssociationsAndPathSettings)
{
    LOG_STRING_DEBUG("CPKIFSignedData::ClearContent(bool removeMediatorAssociations)", TOOLKIT_CRYPTO_MISC, 0, this);

    //free and make
    m_impl->FreeSignedData();
    m_impl->MakeSignedData();

    //falsify the bools
    m_impl->m_bDecodedContent = false;
    m_impl->m_bDetached = false;

    //zero the version
    m_impl->m_version = CMSv0;

    //clear the lists
    m_impl->m_digestAlgorithms.clear();
    m_impl->m_certificates.clear();                 
    m_impl->m_crls.clear();
    m_impl->m_signerInfos.clear();  

    //create and assign a stack of empty smart pointers
    CPKIFEncapsulatedContentInfoPtr tmpECIP;
    m_impl->m_encapContentInfo = tmpECIP;   
    
    CPKIFCertificatePathPtr tmpPath;
    m_impl->m_path = tmpPath;
    
    CPKIFPathValidationResultsPtr tmpResults;
    m_impl->m_valResults = tmpResults;
    
    //added 10/17/2003
    if(removeMediatorAssociationsAndPathSettings)
    {
        //moved this here (changing the meaning of the param) 2/23/2005 CRW
        CPKIFPathSettingsPtr tmpSettings;
        m_impl->m_settings = tmpSettings;

        //RemoveMediatorAssociations();

        IPKIFMediatorPtr tmp;
        m_impl->m_med = tmp;
    }
}

//*****************************************************************************
//  field manipulation functions
//*****************************************************************************
//version (required)
CPKIFSignedData::CMSVersion CPKIFSignedData::GetVersion() const
{
    return m_impl->m_version;
}

//encapsulated content info (required)
CPKIFEncapsulatedContentInfoPtr CPKIFSignedData::GetEncapsulatedContent() const
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetEncapsulatedContent()", TOOLKIT_CRYPTO_MISC, 0, this);

    //data associated with a message may be in any of the following:
    //  - m_encapContentInfo member (via SetEncapsulatedContent)
    //  - in the m_signedData structure (via Decode)
    //  - detached (not covered by this function - preservation of detached data is app's job)

    if(m_impl->m_encapContentInfo == (CPKIFEncapsulatedContentInfo*)NULL && m_impl->m_bDecodedContent)
    {
        //if m_encapContentInfo is empty (i.e. no ecip was manually associated) and
        //we decoded a message, create a new CPKIFEncapsulatedContentInfoPtr object
        //from the decoded message and store it in m_encapContentInfo.
        //m_bDecodedContent is only set to true following an invocation of Decode that does not
        //throw an exception.  we needn't check for existance of m_signedData.
        //throw bad_alloc
        CPKIFEncapsulatedContentInfoPtr tmpECIP(new CPKIFEncapsulatedContentInfo());

        //content type is required so if we get here then we have one (if there wasn't one
        //we'd've failed in the parser)
        //throw bad_alloc or CPKIFException
        CPKIFOIDPtr tmpOID(new CPKIFOID((*m_impl->m_signedData)->encapContentInfo.eContentType.subid, (*m_impl->m_signedData)->encapContentInfo.eContentType.numids));
        tmpECIP->SetOID(tmpOID);

        //actual content is optional - add it to the object if it's there...
        if((*m_impl->m_signedData)->encapContentInfo.m.eContentPresent)
        {
            //throw bad_alloc
            CPKIFBufferPtr tmpBuf(new CPKIFBuffer((*m_impl->m_signedData)->encapContentInfo.eContent.data, (*m_impl->m_signedData)->encapContentInfo.eContent.numocts));
            tmpECIP->SetContent(tmpBuf);
        }

        //save the new ecip
        CPKIFSignedData* nonConst = const_cast<CPKIFSignedData*>(this);
        nonConst->m_impl->m_encapContentInfo = tmpECIP;
    }

    //at this point, m_encapContentInfo could contain content that was manually added via 
    //SetEncapsulatedContent, content from a decoded message or be empty.
    return m_impl->m_encapContentInfo;
}
void CPKIFSignedData::SetEncapsulatedContent(
    CPKIFEncapsulatedContentInfoPtr& ecip)
{
    LOG_STRING_DEBUG("CPKIFSignedData::SetEncapsulatedContent(CPKIFEncapsulatedContentInfoPtr& ecip)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(ecip == (CPKIFEncapsulatedContentInfo*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //make sure the object passed in has all the pieces we'll need (i.e. just an OID
    //as content can be NULL and be detached)
    CPKIFOIDPtr tmpOID = ecip->GetOID();
    if(tmpOID == (CPKIFOID*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "The EncapsulatedContentInfo object must contain an OID.");

    m_impl->m_encapContentInfo = ecip;
    m_impl->m_bDecodedContent = false;  //from this point forward we will be ignoring (*m_signedData)->encapContentInfo
}
void CPKIFSignedData::UpdateMessage(
    unsigned char* buf,
    int bufLen) //used to set-up detached messages
{
    LOG_STRING_DEBUG("CPKIFSignedData::UpdateMessage(unsigned char* buf, int bufLen)", TOOLKIT_CRYPTO_MISC, 0, this);

    if(NULL == GetMediator())
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    //get a pointer to IPKIFCryptoMisc to perform hashing 
    IPKIFCryptoMisc* cMisc = GetMediator()->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "Could not obtain pointer to IPKIFCryptoMisc interface.");

    if(!m_impl->m_bDetached)
    {
        //if we haven't already started a detached message, we need to collect the digest algs from
        //the associated SignerInfos.  signer infos should be locked after this is done to prevent
        //introduction of a different hash alg.

        //create a signed data structure and populate the digest algs field
        //throw bad_alloc
        PKIFCMSMessageMemoryHelper mhSignedData;
        mhSignedData.pSignedData = new CACCMSSignedData;
        memset(mhSignedData.pSignedData, 0, sizeof(CACCMSSignedData));

        try
        {
            m_impl->BuildDigestAlgList(mhSignedData.pSignedData);
        }
        catch(...)
        {
            //BuildDigestAlgList can throw bad_alloc or CPKIFException - we let it pass on and let 
            //PKIFCMSMessageMemoryHelper take care of the clean up but must make sure we don't leave 
            //m_digestAlgorithms partially filled
            m_impl->m_digestAlgorithms.clear();
            throw;
        }

        //pass the collection of algs to the detached data member and update the hash
        // m_impl->m_detachedData.SetDigestAlgs(cMisc, &mhSignedData.pSignedData->digestAlgorithms);
        // m_impl->m_bDetached = true;

        // XXX TO DO
        // Should we use deferred parsing instead of the decode/encode/decode that is now being
        // performed because of the deobjectification?

        CACASNWRAPPER_CREATE(CACCMSDigestAlgorithmIdentifiers, digestAlgsVal);
        ASN1OpenType* encodedAlgs = digestAlgsVal.Encode(&mhSignedData.pSignedData->digestAlgorithms);
        CPKIFBufferPtr data(new CPKIFBuffer (encodedAlgs->data, encodedAlgs->numocts));

        if (encodedAlgs != NULL)
        {
            delete encodedAlgs;
        }
        m_impl->m_detachedData.SetDigestAlgs(cMisc, data);
        m_impl->m_bDetached = true;
    }

    //update the running hash for all hash algs (let the caller catch exceptions)
    m_impl->m_detachedData.UpdateMessage(cMisc, buf, bufLen);
}

//certificates (optional)
void CPKIFSignedData::AddCertificate(
    CPKIFCertificatePtr& cert)
{
    LOG_STRING_DEBUG("CPKIFSignedData::AddCertificate(CPKIFCertificatePtr& cert)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(cert == (CPKIFCertificate*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //accept no empty certs
    CPKIFBufferPtr encCert = cert->Encoded();
    if(encCert == (CPKIFBuffer*)NULL || 0 == encCert->GetLength())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    m_impl->m_certificates.push_back(cert);
}
void CPKIFSignedData::GetCertificates(
    CPKIFCertificateList& certs)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetCertificates(CPKIFCertificateList& certs)", TOOLKIT_CRYPTO_MISC, 0, this);

    //return list containing contents of m_certificates plus certs in m_signedData.
    //destroy certs in m_signedData after adding them to m_certificates (don't really
    //destroy certs - just change flag so they don't get ignored in the future).

    //removed the following line 7/22/2004 because it is not desirable - Armen
    //certs.clear();

    //first, update m_certificates with any certs from m_signedData
    if(m_impl->m_signedData != NULL && NULL != (*m_impl->m_signedData).data() && (*m_impl->m_signedData)->m.certificatesPresent)
    {
        DListNode* iter = (*m_impl->m_signedData)->certificates.head;
        while(NULL != iter)
        {
            CACCMSCertificateChoices* curChoice = (CACCMSCertificateChoices*)iter->data;
            if(T_CACCMSCertificateChoices_certificate != curChoice->t)
            {
                iter = iter->next;
                continue;
            }

            ASN1OpenType* cert = (ASN1OpenType*)curChoice->u.certificate;

            try
            {
                CPKIFCertificatePtr newCert(new CPKIFCertificate());
                newCert->Decode(cert->data, cert->numocts);
                m_impl->m_certificates.push_back(newCert);
            }
            catch(CPKIFException&)
            {
                //don't bother the caller with malformed certs
            }
            catch(std::bad_alloc& ba)
            {
                //empty the list
                m_impl->m_certificates.clear();
                throw ba;
            }
    
            iter = iter->next;
        }

        (*m_impl->m_signedData)->m.certificatesPresent = 0;
    }

    //next, copy the contents of the m_certificates list to the certs list
    copy(m_impl->m_certificates.begin(), m_impl->m_certificates.end(), back_inserter(certs));
}

//crls (optional)
void CPKIFSignedData::AddCRL(
    CPKIFCRLPtr& crl)
{
    LOG_STRING_DEBUG("CPKIFSignedData::AddCRL(CPKIFCRLPtr& crl)", TOOLKIT_CRYPTO_MISC, 0, this);

    //accept no NULLs
    if(crl == (CPKIFCRL*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //accept no empty certs
    CPKIFBufferPtr encCRL = crl->Encoded();
    if(encCRL == (CPKIFBuffer*)NULL || 0 == encCRL->GetLength())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    m_impl->m_crls.push_back(crl);
}
void CPKIFSignedData::GetCRLs(
    CPKIFCRLList& crls)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetCRLs(CPKIFCRLList& crls)", TOOLKIT_CRYPTO_MISC, 0, this);

    //return list containing contents of m_crls plus crls in m_signedData.
    //destroy crls in m_signedData after adding them to m_crls (don't really
    //destroy crls - just change flag so they don't get ignored in the future).

    crls.clear();

    //first, update m_crls with any crls from m_signedData
    if(m_impl->m_signedData != NULL && NULL != (*m_impl->m_signedData).data() && (*m_impl->m_signedData)->m.crlsPresent)
    {
        DListNode* iter = (*m_impl->m_signedData)->crls.head;
        while(NULL != iter)
        {
            CACCMSRevocationInfoChoice* curChoice = (CACCMSRevocationInfoChoice*)iter->data;

            if(T_CACCMSRevocationInfoChoice_crl != curChoice->t)
            {
                iter = iter->next;
                continue;
            }

            ASN1OpenType* crl = (ASN1OpenType*)curChoice->u.crl;

            try
            {
                CPKIFCRLPtr newCRL(new CPKIFCRL());
                newCRL->Decode(crl->data, crl->numocts);
                m_impl->m_crls.push_back(newCRL);
            }
            catch(CPKIFException&)
            {
                //don't bother the caller with malformed crls
            }
            catch(std::bad_alloc& ba)
            {
                //empty the list
                m_impl->m_crls.clear();
                throw ba;
            }

            iter = iter->next;
        }

        (*m_impl->m_signedData)->m.crlsPresent = 0;
    }

    //next, copy the contents of the m_crls list to the crls list
    copy(m_impl->m_crls.begin(), m_impl->m_crls.end(), back_inserter(crls));
}
void CPKIFSignedData::AddSignerInfo(
    CPKIFSignerInfoPtr& si)
{
    LOG_STRING_DEBUG("CPKIFSignedData::AddSignerInfo(CPKIFSignerInfoPtr& si)", TOOLKIT_CRYPTO_MISC, 0, this);

    if(m_impl->m_bDetached)
        throw CPKIFMessageException(thisComponent, MSG_INVALID_STATE, "All signers must be added prior to calling UpdateMessage.");

    //accept no NULLs
    if(si == (CPKIFSignerInfo*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);

    //make sure it has everything we need

    m_impl->m_signerInfos.push_back(si);
}
void CPKIFSignedData::GetSignerInfos(
    CPKIFSignerInfoList& sis)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetSignerInfos(CPKIFSignerInfoList& sis)", TOOLKIT_CRYPTO_MISC, 0, this);

    sis.clear();

    copy(m_impl->m_signerInfos.begin(), m_impl->m_signerInfos.end(), back_inserter(sis));

    CACASNWRAPPER_CREATE(CACCMSSignerInfo, InfoWrapper);

    if((*m_impl->m_signedData).data() != NULL && 0 != (*m_impl->m_signedData)->signerInfos.count)
    {
        DListNode* cur = (*m_impl->m_signedData)->signerInfos.head;
        while(NULL != cur)
        {
            ASN1OpenType *data = InfoWrapper.Encode((CACCMSSignerInfo*)cur->data);
            CPKIFBufferPtr siBuf(new CPKIFBuffer(data->data, data->numocts));
            delete data;

            CPKIFSignerInfoPtr si(new CPKIFSignerInfo(siBuf));
            //CPKIFSignerInfoPtr si(new CPKIFSignerInfo(*(CACCMSSignerInfo*)cur->data));
            sis.push_back(si);

            m_impl->m_signerInfos.push_back(si);

            cur = cur->next;
        }
        (*m_impl->m_signedData)->signerInfos.count = 0;
    }
}

//*****************************************************************************
//  encode and decode functions
//*****************************************************************************
CPKIFBufferPtr CPKIFSignedData::Encode()
{
    LOG_STRING_DEBUG("CPKIFSignedData::Encode()", TOOLKIT_CRYPTO_MISC, 0, this);

    //We may be encoding:
    //  - using stuff added since creation of this instance
    //  - using stuff from m_signedData
    //  - using stuff from m_signedData plus stuff added since parsing

    //*****************************************************************
    //  sanity check the inputs
    //*****************************************************************
    if(NULL == GetMediator())
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    IPKIFCryptoKeyIDOperations* cKeyID = GetMediator()->GetMediator<IPKIFCryptoKeyIDOperations>();
    if(NULL == cKeyID)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoKeyIDOperations interface is not available.");

    IPKIFCryptoMisc* cMisc = GetMediator()->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");

    CPKIFEncapsulatedContentInfoPtr ecip = GetEncapsulatedContent();
    if(ecip == (CPKIFEncapsulatedContentInfo*)NULL || ecip->GetOID() == (CPKIFOID*)NULL)
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "EncapsulatedContentInfo is not available.");

    //*****************************************************************
    //  prepare the signed data structure to encode
    //*****************************************************************
    //throw bad_alloc
    PKIFCMSMessageMemoryHelper mhSignedData;
    mhSignedData.pSignedData = new CACCMSSignedData;
    memset(mhSignedData.pSignedData, 0, sizeof(CACCMSSignedData));
    
    //add any certs and crls to the message to encode (can throw bad_alloc)
    m_impl->AddCerts(mhSignedData.pSignedData);
    m_impl->AddCRLs(mhSignedData.pSignedData);

    //iterate over the signer infos and build a list of all digest algs
    try
    {
        m_impl->BuildDigestAlgList(mhSignedData.pSignedData);
    }
    catch(...)
    {
        //BuildDigestAlgList can throw bad_alloc or CPKIFException - we let it pass on and let 
        //PKIFCMSMessageMemoryHelper take care of the clean up but must make sure we don't leave 
        //m_digestAlgorithms partially filled
        m_impl->m_digestAlgorithms.clear();
        throw;
    }

    //set up the content type of the data that was signed
    CPKIFStringPtr str(new std::string(ecip->GetOID()->ToString())); 
    ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);
    CopyOID(&mhSignedData.pSignedData->encapContentInfo.eContentType, tmpOid);

    if(NULL != tmpOid)
        delete tmpOid;
    //mhSignedData.pSignedData->encapContentInfo.eContentType = *ecip->GetOID()->raw();
    //mhSignedData.pSignedData->encapContentInfo.eContentType = *tmpOid;

    //see if the content is encapsulated or detached
    CPKIFBufferPtr ecipBuf = ecip->GetContent();
    if(ecipBuf != (CPKIFBuffer*)NULL)
    {
        //if encapsulated add it to the message
        mhSignedData.pSignedData->encapContentInfo.m.eContentPresent = 1;
        mhSignedData.pSignedData->encapContentInfo.eContent.data = ecipBuf->GetBuffer();
        mhSignedData.pSignedData->encapContentInfo.eContent.numocts = ecipBuf->GetLength();
    
        //clear out any old hash info (if present)
        m_impl->m_detachedData.FreeHashVector();
        m_impl->m_bDetached = false; //added 04/08/2003 CRW

        //hash the content (UpdateMessage can throw)
        UpdateMessage((unsigned char*)mhSignedData.pSignedData->encapContentInfo.eContent.data, mhSignedData.pSignedData->encapContentInfo.eContent.numocts);
    }
    else
        mhSignedData.pSignedData->encapContentInfo.m.eContentPresent = 0;

    //next, determine the data to be hashed and hash it (this can throw)
    m_impl->m_detachedData.FinalizeHashes(cMisc);

    //AddSignerInfos can throw bad_alloc
    // GCC doesn't like this->GetMediator() as a function parameter when a reference is required
    IPKIFMediatorPtr med = this->GetMediator();
    m_impl->AddSignerInfos(mhSignedData.pSignedData, med);

    //set the version
    m_impl->CalculateAndSetVersion();
    mhSignedData.pSignedData->version = (CACCMSCMSVersion)GetVersion();

    CACASNWRAPPER_CREATE(CACCMSSignedData, objPDU);
    ASN1OpenType* data1 = NULL;
    
    try
    {
        data1 = objPDU.Encode(mhSignedData.pSignedData);
    }
    catch(...)
    {
        //we must remove pre-existing signer infos from the list in the memory helper before cleanup
        //re-throw any exception
        m_impl->RemoveSignerInfos(mhSignedData.pSignedData);
        throw;
    }
    
    CPKIFBufferPtr tmp;
    try
    {
        //copy the buffer info a buffer ptr to be returned to the caller
        CPKIFBufferPtr tmpTmp(new CPKIFBuffer((unsigned char*)data1->data, data1->numocts));
        tmp = tmpTmp;
        delete data1; data1 = NULL;
    }
    catch(std::bad_alloc& ba)
    {
        if(data1)
            delete data1;
        throw ba;
    }

    //because we reused any signer infos from the decoded message directly,
    //it is necessary to remove them from the list before cleaning up
    m_impl->RemoveSignerInfos(mhSignedData.pSignedData);

    //immediately after encoding - decode the message and remove all members
    //to keep the object in a suitable state
    //XXX-DEFER should the state be maintained in this clear and decode fashion
    //      or should another means be implemented (possibly storage of the
    //      encoded buffer with state-related macros at the beginning of every 
    //      function to trigger decodes as necessary)
    ClearContent(false);
    Decode(tmp);
    m_impl->CallingAllGets();

    return tmp;
}
void CPKIFSignedData::Decode(
    CPKIFBufferPtr& buf)
{
    LOG_STRING_DEBUG("CPKIFSignedData::Decode(CPKIFBufferPtr& buf)", TOOLKIT_CRYPTO_MISC, 0, this);

    //moved this stuff above input check 2/23/2005 CRW
    //make sure hash object is empty (moved up here from below try/catch 10/17/2003)
    m_impl->m_detachedData.FreeHashVector();
    m_impl->m_bDetached = false; //added 4/8/2003 CRW
    ClearContent(false); //added this to clear out all members 2/23/2005 CRW

    //if the input is empty - fail now
    if(buf == (CPKIFBuffer*)NULL)
    {
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT);
    }

    try
    {
        //otherwise try to parse it into the signed data member
        //breakdown of m_signedData into PKIF classes will occur on demand
        (*m_impl->m_signedData).Decode(buf->GetBuffer(), buf->GetLength());
        m_impl->m_bDecodedContent = true;
        m_impl->m_decodeBuf = buf; //gotta keep the raw buffer alive to facilitate object reuse - 10/20/03

        switch((*m_impl->m_signedData)->version)
        {
        case CACCMSv0:
            m_impl->m_version = CPKIFSignedData::CMSv0;
            break;
        case CACCMSv1:
            m_impl->m_version = CPKIFSignedData::CMSv1;
            break;
        case CACCMSv2:
            m_impl->m_version = CPKIFSignedData::CMSv2;
            break;
        case CACCMSv3:
            m_impl->m_version = CPKIFSignedData::CMSv3;
            break;
        case CACCMSv4:
            m_impl->m_version = CPKIFSignedData::CMSv4;
            break;
        }
    }
    catch(CPKIFException& e)
    {
        unsigned char * decoded = NULL;
        unsigned long decodedLen;
        bool b = PEMDecode((char *)buf->GetBuffer(), &decoded, &decodedLen);
        if(b)
        {
            try
            {
                (*m_impl->m_signedData).InitContext();
                (*m_impl->m_signedData).Decode(decoded, decodedLen);

                CPKIFBufferPtr tmp(new CPKIFBuffer(decoded, decodedLen));
                m_impl->m_bDecodedContent = true;
                m_impl->m_decodeBuf = tmp;

                switch((*m_impl->m_signedData)->version)
                {
                case CACCMSv0:
                    m_impl->m_version = CPKIFSignedData::CMSv0;
                    break;
                case CACCMSv1:
                    m_impl->m_version = CPKIFSignedData::CMSv1;
                    break;
                case CACCMSv2:
                    m_impl->m_version = CPKIFSignedData::CMSv2;
                    break;
                case CACCMSv3:
                    m_impl->m_version = CPKIFSignedData::CMSv3;
                    break;
                case CACCMSv4:
                    m_impl->m_version = CPKIFSignedData::CMSv4;
                    break;
                }

                if(NULL != decoded)
                    delete decoded;

            }catch(CPKIFException& e)
            {
                if(NULL != decoded)
                    delete decoded;

                CPKIFMessageException me(thisComponent, MSG_DECODE_FAILED);
                me.push_info(e);
                //delete e;
                throw me;
            }
        }else
        {
            if(NULL != decoded)
                    delete decoded;
            CPKIFMessageException me(thisComponent, MSG_DECODE_FAILED);
            me.push_info(e);
            throw me;
        }
    }
}

//*****************************************************************************
//  message verification (and related) functions
//*****************************************************************************
//Functor<void, TYPELIST_3(const CPKIFCertificateNodeEntryPtr&, CPKIFPathValidationResults&, CertificateType)> keyUsageSigFunctor2(keyUsageChecker_Signature);
bool CPKIFSignedData::Verify(
    int signerIndex, 
    CMSVerificationStatus& status,
    CMSPathValidationStatus minStatus)
{
    CPKIFCertificatePtr signersCert; //empty cert object
    return m_impl->_Verify(signerIndex, status, signersCert, minStatus);
}
bool CPKIFSignedData::Verify(
    int signerIndex, 
    CMSVerificationStatus& status, 
    CPKIFCertificatePtr& signersCert, 
    CMSPathValidationStatus minStatus)
{
    return m_impl->_Verify(signerIndex, status, signersCert, minStatus);
}

#ifndef NEW_VERIFY_FUNC

bool CPKIFSignedData::_Verify(
    int signerIndex, 
    CMSVerificationStatus& status, 
    CPKIFCertificatePtr& sc, 
    CMSPathValidationStatus minStatus)
{
    LOG_STRING_DEBUG("CPKIFSignedData::_Verify(int signerIndex,...", TOOLKIT_CRYPTO_MISC, 0, this);

    status = NOT_VERIFIED;

    PKIFFuncStorage keyUsageSigFunctor2(keyUsageChecker_Signature);

    //collect the necessary interfaces:
    //      IPKIFCryptoMisc - to prepare hashes
    //      IPKIFCryptoRawOperations - to perform signature verification
    if(NULL == GetMediator())
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    IPKIFCryptoMisc* cMisc = GetMediator()->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");
    IPKIFCryptoRawOperations* cRaw = GetMediator()->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    //added 3/17 CRW
    if(NULL == m_signedData->data())
        throw CPKIFMessageException(thisComponent, MSG_INVALID_STATE, "Message has not been decoded.");

    //see if data was present that needs hashing (if m_bDetached is set then we've already hashed)
    if((*m_signedData)->encapContentInfo.m.eContentPresent && !m_bDetached)
    {
        //if content is present in the message throw out anything that was passed in via UpdateMessage
        m_detachedData.FreeHashVector();
        m_bDetached = false; //added 04/08/2003 CRW
        UpdateMessage((unsigned char*)(*m_signedData)->encapContentInfo.eContent.data, (*m_signedData)->encapContentInfo.eContent.numocts);
    }

    CPKIFOIDPtr encapType = GetEncapsulatedContent()->GetOID();

    //finalize all hashes (either initialized above or via external call to UpdateMessage)
    m_detachedData.FinalizeHashes(cMisc);

    //iterate over all signed infos
    bool b = false;
    HASH_ALG hashAlg;
    DListNode* cur = (*m_signedData)->signerInfos.head;
    for(int ii = 0; ii < signerIndex && NULL != cur; ++ii)
        cur = cur->next;

    if(NULL == cur)
        throw CPKIFMessageException(thisComponent, MSG_INVALID_INDEX, "signerIndex is invalid.");

    CACCMSSignerInfo* si = (CACCMSSignerInfo*)cur->data;
    CPKIFBufferPtr signerCert;

    bool deleteHI = false;

    //see if a cert was passed in - if so use it - if not look in the signers info for the cert
    if(sc != (CPKIFCertificate*)NULL)
        signerCert = sc->Encoded();
    else
    {
        CPKIFCertificatePtr tmpSC;
        GetSignersCert(signerIndex, tmpSC);
        if(tmpSC != (CPKIFCertificate*)NULL)
            signerCert = tmpSC->Encoded();
    }

    //if we got a cert - try to get a hash alg and continue
    if(signerCert != (CPKIFBuffer*)NULL && GetCACHashAlg(&si->digestAlgorithm, &hashAlg))
    {
        //if we got a hash alg try to get a hash result
        HashInfo* hi = NULL;

        if(!si->m.signedAttrsPresent)
        {
            //if no signed attrs are present then retrieve the hash of the data     
            hi = m_detachedData.GetHashInfo(hashAlg);
        }
        else
        {
            //get the hash of the data
            HashInfo* hi2 = m_detachedData.GetHashInfo(hashAlg);

            //then compute the hash over the signed attrs (this will be used for verification below)
            hi = ComputeSignedAttrHash(si, cMisc);
            deleteHI = true;

            if(!CompareHashes(hi2, si))
            {
                //if hash of data does not match the hash contained in the signed attr bag
                //or if there is no content hash in the signed attr bag then fail
                status = CMS_SIGNATURE_INVALID;
                return false;
            }

            //added 04/28/2003
            CPKIFSignerInfo tmpSI(*si);
            CPKIFContentTypeAttributePtr ct = tmpSI.GetSignedAttribute<CPKIFContentTypeAttribute>();
            if(ct == (CPKIFContentTypeAttribute*)NULL)
            {
                status = CMS_SIGNATURE_INVALID;
                return false;
            }
            else
            {
                CPKIFOIDPtr ctType = ct->GetContentType();
                if(ctType == (CPKIFOID*)NULL || !(*ctType == *encapType))
                {
                    status = CMS_SIGNATURE_INVALID;
                    return false;
                }
            }
                
        }

        if(NULL != hi)
        {
            //if we got a hash result fix up a key material class and try to verify the signature
            CPKIFKeyMaterial key;
            key.SetCertificate(signerCert->GetBuffer(), signerCert->GetLength());

            if(!cRaw->Verify(key, hi->m_hashResult, hi->m_hashAlg, (unsigned char*)si->signature.data, si->signature.numocts))
            {
                if(NULL != hi && deleteHI)
                    delete hi;
                status = CMS_SIGNATURE_INVALID;
                return false;
            }
            else
            {
                if(NULL != hi && deleteHI)
                    delete hi;
                status = CMS_SIGNATURE_VERIFIED;
            }
        }
        else
        {
            throw CPKIFMessageException(thisComponent, COMMON_UNSUPPORTED_ALG, "Unsupported hashing algorithm.");       
        }       
    }
    else
    {
        throw CPKIFMessageException(thisComponent, MSG_NO_CERTIFICATE, "No signers certificate was present in the message.");
    }

    //added 04/26/2003 - CRW
    if(PVS_NOT_VALIDATED == minStatus)
        return true;

    IPKIFPathBuild* cBuild = GetMediator()->GetMediator<IPKIFPathBuild>();
    if(NULL == cBuild)
        return false;

    IPKIFPathValidate* cValidate = GetMediator()->GetMediator<IPKIFPathValidate>();
    if(NULL == cValidate)
        return false;

    CPKIFCertificatePathPtr tmpPath(new CPKIFCertificatePath);
    m_path = tmpPath;

    CPKIFPathValidationResultsPtr tmpValResults(new CPKIFPathValidationResults);
    m_valResults = tmpValResults;

    CPKIFCertificatePtr signersCert(new CPKIFCertificate());
    signersCert->Decode(signerCert->GetBuffer(), signerCert->GetLength());
    m_path->SetTarget(signersCert);

    //if settings have been associated with this object use them
    //otherwise defer to the default settings (either globally set
    //or defined to be very permissive)
    if(m_settings != (CPKIFPathSettings*)NULL)
        m_path->SetPathSettings(m_settings);

    try
    {
        do
        {
            if(!cBuild->BuildPath(*m_path))
            {
                return false;
            }
            if(cValidate->ValidatePath(*m_path, *m_valResults, &keyUsageSigFunctor2))
            {
                if(NOT_REVOKED == m_valResults->GetRevocationStatusMostSevere())
                {
                    status = REV_STATUS_VERIFIED;
                    return true;    
                }
                else
                {
                    status = CERT_PATH_VERIFIED;
                    return PVS_REV_STATUS_VERIFIED > minStatus; //return true only if min status
                                                                //is less than rev status verified
                }
            }
            else
            {
                if(!m_valResults->GetBasicChecksSuccessfullyPerformed() ||
                    !m_valResults->GetCertSignaturesVerified())
                {
                    status = CERT_PATH_INVALID; //set the status but keep looking
                }
                else if(REVOKED == m_valResults->GetRevocationStatusMostSevere())
                {
                    status = REV_STATUS_INVALID;

                    //see if the signer was revoked - if so, stop looking and return false now
                    //if they don't match then a CA cert was revoked and we should keep looking
                    //for a good path
                    CPKIFCertificateNodeEntryPtr errantCertNode = m_valResults->GetCertificate();
                    if(errantCertNode != (CPKIFCertificateNodeEntry*)NULL)
                    {
                        CPKIFCertificatePtr errantCert = errantCertNode->GetCert();
                        if(errantCert != (CPKIFCertificate*)NULL && *errantCert == *signersCert)
                            return false;
                    }
                }
                else if(m_valResults->GetBasicChecksSuccessfullyPerformed() &&
                    m_valResults->GetCertSignaturesVerified())
                {
                    status = CERT_PATH_VERIFIED; //verification successful but revocation not checked
                    if(PVS_REV_STATUS_VERIFIED > minStatus) //if min say OK return true - else keep looking
                        return true;
                }
            }
        }while(1);
    }
    catch(CPKIFException& e)
    {
        LOG_STRING_ERROR(e.print()->c_str(), thisComponent, COMMON_UNKNOWN_ERROR, this);
        return false;
    }
}
#endif

void CPKIFSignedData::SetPathSettings(
    CPKIFPathSettingsPtr& settings)
{
    //do allow NULL to be passed to clear out any custom path settings in favor of defaults
    m_impl->m_settings = settings;
}
CPKIFCertificatePathPtr CPKIFSignedData::GetPath() const
{
    return m_impl->m_path;
}
CPKIFPathValidationResultsPtr CPKIFSignedData::GetValidationResults() const
{
    return m_impl->m_valResults;
}
void CPKIFSignedData::GetSignersCert(
    int signerIndex,
    CPKIFCertificatePtr& cert)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetSignersCert(int signerIndex, CPKIFCertificatePtr& cert)", TOOLKIT_CRYPTO_MISC, 0, this);

    if(NULL == m_impl->m_signedData || NULL == (*m_impl->m_signedData).data())
        throw CPKIFMessageException(thisComponent, MSG_INVALID_STATE, "Decoded message not present.");

    CPKIFCertificatePtr emptyCert;
    cert = emptyCert;

    DListNode* cur = (*m_impl->m_signedData)->signerInfos.head;
    for(int ii = 0; ii < signerIndex && NULL != cur; ++ii)
        cur = cur->next;

    if(NULL == cur)
        return;

    CACCMSSignerInfo* si = (CACCMSSignerInfo*)cur->data;
    CPKIFBufferPtr signerCert = m_impl->GetSignersCert(si);
    if (signerCert == (CPKIFBuffer*)NULL)
        return;

    //throw bad_alloc
    CPKIFCertificatePtr tmpCert(new CPKIFCertificate);

    //throw PKIFException
    tmpCert->Decode(signerCert->GetBuffer(), signerCert->GetLength());

    //set outbound cert variable to the parsed cert
    cert = tmpCert;
}
size_t CPKIFSignedData::GetNumberOfSigners() const
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetNumberOfSigners()", TOOLKIT_CRYPTO_MISC, 0, this);

    if(NULL == m_impl->m_signedData || NULL == (*m_impl->m_signedData).data())
        return 0;
    else if((*m_impl->m_signedData)->signerInfos.count > 0)
        return (*m_impl->m_signedData)->signerInfos.count;
    else
    {
        //added this and if after the else above 10/21/2003
        //we've already reset the signerInfo count and everything is in the sis array
        return m_impl->m_signerInfos.size();
    }
}
CPKIFSignerInfoPtr CPKIFSignedData::GetSignersInfo(
    int signerIndex)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetSignersInfo()", TOOLKIT_CRYPTO_MISC, 0, this);

    CPKIFSignerInfoPtr tmpSI;
    if(NULL == m_impl->m_signedData || NULL == (*m_impl->m_signedData).data())
        throw CPKIFMessageException(thisComponent, COMMON_INVALID_INPUT, "Decoded message not present.");

    DListNode* cur = (*m_impl->m_signedData)->signerInfos.head;
    for(int ii = 0; ii < signerIndex && NULL != cur; ++ii)
        cur = cur->next;

    if(NULL == cur)
        return tmpSI;

    CACCMSSignerInfo* si = (CACCMSSignerInfo*)cur->data;
    CACASNWRAPPER_CREATE(CACCMSSignerInfo, InfoWrapper); 
    ASN1OpenType *data = InfoWrapper.Encode(si);
    CPKIFBufferPtr siBuf(new CPKIFBuffer(data->data, data->numocts));
    delete data;

    //throw bad_alloc or PKIFException
    //CPKIFSignerInfoPtr sip(new CPKIFSignerInfo(*si));
    CPKIFSignerInfoPtr sip(new CPKIFSignerInfo(siBuf));
    return sip;
}

//*****************************************************************************
//  private functions
//*****************************************************************************
void CPKIFSignedDataImpl::AddCerts(
    CACCMSSignedData* signedData)
{
    LOG_STRING_DEBUG("CPKIFSignedData::AddCerts(CACCMSSignedData* signedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //get the complete list of certs that should be included in the message
    CPKIFCertificateList certs;
    m_parent->GetCertificates(certs);

    //if there are certs in one of the sources proceed.  first set count to zero
    //and presence indicator to true.
    signedData->certificates.count = 0;

    if(certs.empty())
    {
        //bail out if there are no certs to include
        signedData->m.certificatesPresent = 0;
        return;
    }
    else
        signedData->m.certificatesPresent = 1;

    DListNode* cur = NULL;

    //iterate over certs in m_certificates list
    CPKIFCertificateList::iterator certPos; 
    CPKIFCertificateList::iterator certEnd = certs.end();
    for(certPos = certs.begin(); certPos != certEnd; ++certPos)
    {
        //throw bad_alloc - memory helper in the caller will handle clean up    
        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        CACCMSCertificateChoices* tmpChoice = new CACCMSCertificateChoices;
        tmpChoice->t = T_CACCMSCertificateChoices_certificate;
        tmpChoice->u.certificate = new ASN1OpenType;
        
        //certs were screened when added to make sure the encoded buffer existed
        tmpChoice->u.certificate->data = (*certPos)->Encoded()->GetBuffer();
        tmpChoice->u.certificate->numocts = (*certPos)->Encoded()->GetLength();
        
        cur->data = tmpChoice;

        SET_HEAD_TAIL_INCREMENT(signedData->certificates, cur)
    }   
}
void CPKIFSignedDataImpl::AddCRLs(
    CACCMSSignedData* signedData)
{
    LOG_STRING_DEBUG("CPKIFSignedData::AddCRLs(CACCMSSignedData* signedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //get the complete list of crls that should be included in the message
    CPKIFCRLList crls;
    m_parent->GetCRLs(crls);

    //if there are crls in one of the sources proceed.  first set count to zero
    //and presence indicator to true.
    signedData->crls.count = 0;

    if(crls.empty())
    {
        signedData->m.crlsPresent = 0;
        return;
    }
    else
        signedData->m.crlsPresent = 1;

    DListNode* cur = NULL;

    //iterate over certs in m_certificates list
    CPKIFCRLList::iterator crlPos;  
    CPKIFCRLList::iterator crlEnd = crls.end();
    for(crlPos = crls.begin(); crlPos != crlEnd; ++crlPos)
    {
        //throw bad_alloc - memory helper in the caller will handle clean up    
        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        CACCMSRevocationInfoChoice* revChoice = new CACCMSRevocationInfoChoice;
        revChoice->t = T_CACCMSRevocationInfoChoice_crl;
        revChoice->u.crl = new ASN1OpenType;

        //crls were screened when added to make sure the encoded buffer existed
        revChoice->u.crl->data = (*crlPos)->Encoded()->GetBuffer();
        revChoice->u.crl->numocts = (*crlPos)->Encoded()->GetLength();

        cur->data = revChoice;

        SET_HEAD_TAIL_INCREMENT(signedData->crls, cur)
    }   
}
void CPKIFSignedDataImpl::BuildDigestAlgList(
    CACCMSSignedData* signedData)
{
    LOG_STRING_DEBUG("CPKIFSignedData::BuildDigestAlgList(CACCMSSignedData* signedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //need to build a list of algs from m_signerInfos and from m_signedData
    DListNode* cur = NULL;
    
    //declare an iterator that will identify the end of the growing list each iteration
    CCACDigestAlgorithmIdentifiers::iterator digAlgsEnd;

    //clear the lists of digest algs
    m_digestAlgorithms.clear();
    signedData->digestAlgorithms.count = 0;

    //add all algs from the decoded structure
    if(m_signedData && (*m_signedData).data())
    {
        DListNode* existing = (*m_signedData)->digestAlgorithms.head;
        while(NULL != existing)
        {
            //throw either bad_alloc or CPKIFException

            //CPKIFAlgorithmIdentifier creation
            CPKIFOIDPtr algOID(new CPKIFOID(((CACX509V3AlgorithmIdentifier*)existing->data)->algorithm.subid,
                                ((CACX509V3AlgorithmIdentifier*)existing->data)->algorithm.numids));
                        CPKIFBufferPtr paramBuf;
            if(((CACX509V3AlgorithmIdentifier*)existing->data)->m.parametersPresent)
            {
                paramBuf = CPKIFBufferPtr(new CPKIFBuffer(((CACX509V3AlgorithmIdentifier*)existing->data)->parameters.data,
                            ((CACX509V3AlgorithmIdentifier*)existing->data)->parameters.numocts));
            
            
            }
            
            CPKIFAlgorithmIdentifierPtr tmpAlg(new CPKIFAlgorithmIdentifier(algOID, paramBuf)); 
            //CPKIFAlgorithmIdentifierPtr tmpAlg(new CPKIFAlgorithmIdentifier(*((CACX509V3AlgorithmIdentifier*)existing->data)));   

            //assume that the same alg didn't appear in an encoded message twice
            m_digestAlgorithms.push_back(tmpAlg);

            existing = existing->next;
        }
    }

    //iterate over m_signerInfos
    CPKIFSignerInfoList::iterator pos;
    CPKIFSignerInfoList::iterator end = m_signerInfos.end();
    for(pos = m_signerInfos.begin(); pos != end; ++pos)
    {
        //get the alg from the current signer info object
        CPKIFAlgorithmIdentifierPtr digestAlg = (*pos)->GetDigestAlg();

        //get end of the current alg list
        digAlgsEnd = m_digestAlgorithms.end();

        //set up a predicate object to handle alg ID comparison
        GottaMatch<CPKIFAlgorithmIdentifierPtr> gm;
        gm.SetRHS(digestAlg);

        //search the m_digestAlgorithms and see if the alg from cur signer is already in the list
        if(digAlgsEnd == find_if(m_digestAlgorithms.begin(), m_digestAlgorithms.end(), gm))
        {
            //if not alread in the list - add it
            m_digestAlgorithms.push_back(digestAlg);
        }
    }

    //at this point m_digestAlgorithms has everything from the decoded message and any
    //algs from m_signerInfos that weren't present in the decoded set
    if(!m_digestAlgorithms.empty())
    {
        //now we iterate over the list and prepare an objective structure
        //containing the algs that will be present in the message
        CCACDigestAlgorithmIdentifiers::iterator pos;
        CCACDigestAlgorithmIdentifiers::iterator end = m_digestAlgorithms.end();
        for(pos = m_digestAlgorithms.begin(); pos != end; ++pos)
        {
            CPKIFAlgorithmIdentifierPtr digestAlg = (*pos);

            if(NULL == cur)
            {
                NEW_NODE(cur)
            }
            else
            {
                NEW_NEXT_AND_ADVANCE(cur)
            }

            //build list in Objective structure (throw bad_alloc - memory helper in caller will clean
            //up any previously allocated memory)
            CACX509V3AlgorithmIdentifier* tmpDA = new CACX509V3AlgorithmIdentifier;

            tmpDA->m.parametersPresent = 1;
            tmpDA->parameters.data = g_nullParams;
            tmpDA->parameters.numocts = 2;
            CPKIFStringPtr str(new std::string(digestAlg->oid()->ToString())); 
            ASN1OBJID* tmpOid = ConvertStringToASN1OBJID(str);

            CopyOID(&tmpDA->algorithm, tmpOid);

            if( NULL != tmpOid)
                delete tmpOid;
            //tmpDA->algorithm = *(digestAlg->oid()->raw());
            //tmpDA->algorithm = *tmpOid;

            cur->data = (void*)tmpDA;

            SET_HEAD_TAIL_INCREMENT(signedData->digestAlgorithms, cur)
        }
    }
}
void CPKIFSignedDataImpl::AddSignerInfos(
    CACCMSSignedData* signedData,
    IPKIFMediatorPtr& cm)
{
    LOG_STRING_DEBUG("CPKIFSignedData::AddSignerInfos(CACCMSSignedData* signedData, IPKIFMediator* cm)", TOOLKIT_CRYPTO_MISC, 0, this);

    //set the count to zero - it will be incremented for each decoded signer and each signer
    //added via AddSignerInfo
    signedData->signerInfos.count = 0;

    //first, add any signer infos that were present in the decoded message
    if(NULL != m_signedData && NULL != (*m_signedData).data() && (*m_signedData)->signerInfos.count > 0)
    {
        DListNode* cur = NULL;
        DListNode* existing = (*m_signedData)->signerInfos.head;
        while(NULL != existing)
        {
            //throw bad_alloc
            if(NULL == cur)
            {
                NEW_NODE(cur)
            }
            else
            {
                NEW_NEXT_AND_ADVANCE(cur)
            }

            cur->data = existing->data;

            existing = existing->next;

            SET_HEAD_TAIL_INCREMENT(signedData->signerInfos, cur)
        }
    }

    //next, see if there are any newly added signers - if not return now
    if(m_signerInfos.empty())
        return;

    //if so proceed
    DListNode* cur = NULL;
    
    PKIFCRYPTO::HASH_ALG hashAlg;
    CPKIFSignerInfoList::iterator siPos;
    CPKIFSignerInfoList::iterator siEnd = m_signerInfos.end();
    for(siPos = m_signerInfos.begin(); siPos != siEnd; ++siPos)
    {
        CACCMSSignerInfo* tmpSignerInfo = new CACCMSSignerInfo;

        if(!GetCACHashAlg((*siPos)->GetDigestAlg()->oid(), &hashAlg))
        {
            delete tmpSignerInfo;

            //remove any existing signer infos from the list
            RemoveSignerInfos(signedData);

            //XXX-DEFER It may be better to produce as many signer infos as possible
            //          and report a collection of failures.  for now if one fails all fail
            //continue;
            throw CPKIFMessageException(m_parent->thisComponent, COMMON_UNSUPPORTED_ALG, "SignerInfo contains an unsupported hash algorithm.");
        }

        HashInfo* hi = m_detachedData.GetHashInfo(hashAlg);
        //moved failure to GetSignerInfo to support reenocding of existing
        //signers when adding a timestamp to an object with detached data
        //if(NULL == hi)
        //{
        //  //remove any existing signer infos from the list
        //  RemoveSignerInfos(signedData);

        //  //clean up what we just allocated
        //  delete tmpSignerInfo;

        //  //pass the exception on to the caller
        //  throw CPKIFMessageException(thisComponent, COMMON_UNSUPPORTED_ALG, "SignerInfo contains an unsupported hash algorithm.");
        //}

        try
        {
            if(hi) 
            {
            CPKIFOIDPtr encapCIOID = m_encapContentInfo->GetOID();
            GetSignerInfo(tmpSignerInfo, *siPos, hi->m_hashResult, hi->m_hashAlg, cm, encapCIOID, hi->m_hashAlg);
            //GetSignerInfo(tmpSignerInfo, *siPos, hi->m_hashResult, hi->m_hashAlg, cm, m_encapContentInfo->GetOID());
            } else {
            CPKIFOIDPtr encapCIOID = m_encapContentInfo->GetOID();
            GetSignerInfo(tmpSignerInfo, *siPos, NULL, 0, cm, encapCIOID, PKIFCRYPTO::SHA1); //This will throw an exception so hash type doesn't matter
            }
        }
        catch(CPKIFException& e)
        {
            //remove any existing signer infos from the list
            RemoveSignerInfos(signedData);

            //clean up what we just allocated
            delete tmpSignerInfo;

            //pass the exception on to the caller
            throw e;
        }

        if(NULL == cur)
        {
            NEW_NODE(cur)
        }
        else
        {
            NEW_NEXT_AND_ADVANCE(cur)
        }

        cur->data = (void*)tmpSignerInfo;

        SET_HEAD_TAIL_INCREMENT(signedData->signerInfos, cur)
    }
}
void CPKIFSignedDataImpl::RemoveSignerInfos(
    CACCMSSignedData* signedData)
{
    LOG_STRING_DEBUG("CPKIFSignedData::RemoveSignerInfos(CACCMSSignedData* signedData)", TOOLKIT_CRYPTO_MISC, 0, this);

    //the purpose of this function is to disassociate previously existing signer info objects from
    //newly created signer info objects so we don't end up freeing things twice.  essentially, the
    //signer infos from a decoded message are temporarily patched into the signer info list of a
    //newly encoded message and must be removed before the memory helper object fires.
    if(NULL != m_signedData && NULL != (*m_signedData).data() && (*m_signedData)->signerInfos.count)
    {
        //added tmp stuff 11/11/2003
        DListNode* cur = signedData->signerInfos.head, *tmp;
        for(unsigned int ii = 0; ii < (*m_signedData)->signerInfos.count && NULL != cur; ++ii, --signedData->signerInfos.count)
        {
            tmp = cur;
            cur = cur->next;
            delete tmp;
        }
        signedData->signerInfos.head = cur;
    }
}
void CPKIFSignedDataImpl::CalculateAndSetVersion()
{
    LOG_STRING_DEBUG("CPKIFSignedData::CalculateAndSetVersion()", TOOLKIT_CRYPTO_MISC, 0, this);

    //RFC3369 defines a simple algorithm to calculate the version.  It's not quite implemented here
    //because we provide no support for attribute certificates

    //assume the version is one
    m_version = CPKIFSignedData::CMSv1;

    CPKIFEncapsulatedContentInfoPtr ecip = m_parent->GetEncapsulatedContent();
    if(ecip == (CPKIFEncapsulatedContentInfo*)NULL)
        return; //should never happen - ths function is only called inside Encode and it requires an ecip

    CPKIFOIDPtr encapType = ecip->GetOID();
    if(encapType == (CPKIFOID*)NULL)
        return; //ditto - Encode requires an ecip OID

    if(!(*g_data == *encapType))
    {
        m_version = CPKIFSignedData::CMSv3;
        return;
    }

    //CPKIFSignerInfoList sis;
    //GetSignerInfos(sis);

    //CPKIFSignerInfoList::iterator pos;
    //CPKIFSignerInfoList::iterator end = sis.end();
    //for(pos = sis.begin(); pos != end; ++pos)
    //{
    //  if((*pos)->Version() == CMSv3)
    //  {
    //      m_version = CMSv3;
    //      return;
    //  }
    //}

    //due to the fact that calling GetSignerInfos removes entries from the 
    //objective structure and stores PKIF versions in a vector, the above code
    //will not do in this spot.  we need to iterate over the objective structures
    //directly.
    if((*m_signedData).data() != NULL && 0 != (*m_signedData)->signerInfos.count)
    {
        DListNode* cur = (*m_signedData)->signerInfos.head;
        while(NULL != cur)
        {
            CACCMSSignerInfo* tmp = (CACCMSSignerInfo*)cur->data;
            if(tmp->version == CPKIFSignedData::CMSv3)
            {
                m_version = CPKIFSignedData::CMSv3;
                return;
            }
            cur = cur->next;
        }
    }

    return;
}

CPKIFBufferPtr CPKIFSignedData::GetSignersCert(
    CPKIFBufferPtr tmpSignerInfoBuf
    /*CACCMSSignerInfo* tmpSignerInfo*/)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetSignersCert(CACCMSSignerInfo* tmpSignerInfo)", TOOLKIT_CRYPTO_MISC, 0, this);

    CACASNWRAPPER_CREATE(CACCMSSignerInfo, tmpPDU);
    //shared_ptr<CACCMSSignerInfo> tmpSignerInfo (tmpPDU.Decode(tmpSignerInfoBuf->GetBuffer(), tmpSignerInfoBuf->GetLength()));
    CACCMSSignerInfo* tmpSignerInfo = tmpPDU.Decode(tmpSignerInfoBuf->GetBuffer(), tmpSignerInfoBuf->GetLength());


    //given a signer info structure search the cert bag for the signer's certificate

    CPKIFNamePtr issuer;
    const char* serial = NULL;
    CPKIFBufferPtr skid;

    if(NULL == tmpSignerInfo || NULL == m_impl->m_signedData || NULL == m_impl->m_signedData->data()) 
        return skid; //not returning skid - just a handy empty buffer object

    //first determine if we are searching using key id or iss dn/serial number
    if(1 == tmpSignerInfo->sid.t)
    {
        //issuer/serial
        serial = tmpSignerInfo->sid.u.issuerAndSerialNumber->serialNumber;

        CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
        ASN1OpenType* data1 = objPDU.Encode(&(tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer));
        CPKIFBufferPtr tmpBuf;
        if(data1 != NULL)
        {
             tmpBuf = CPKIFBufferPtr(new CPKIFBuffer(data1->data, data1->numocts));
            delete data1;
        }
        CPKIFNamePtr tmpNP(new CPKIFName(tmpBuf));
        //CPKIFNamePtr tmpNP(new CPKIFName(tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer));
        issuer = tmpNP;
    }
    else if(2 == tmpSignerInfo->sid.t)
    {
        //skid
        CPKIFBufferPtr tmpBP(new CPKIFBuffer(tmpSignerInfo->sid.u.subjectKeyIdentifier->data, tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts));
        skid = tmpBP;
    }
    else
    {
        CPKIFBufferPtr tmpBP;
        return tmpBP;
    }

    //iterate over all certs in the cert bag
    DListNode* cur = NULL;
    if((*m_impl->m_signedData)->m.certificatesPresent && 0 < (*m_impl->m_signedData)->certificates.count)   //added 11/6/2003 - head is not necessarily NULL 
        cur = (*m_impl->m_signedData)->certificates.head;
    while(NULL != cur)
    {
        CACCMSCertificateChoices* curChoice = (CACCMSCertificateChoices*)cur->data;
        if(T_CACCMSCertificateChoices_certificate != curChoice->t)
        {
            cur = cur->next;
            continue;
        }

        ASN1OpenType* curCert = (ASN1OpenType*)curChoice->u.certificate;

        try
        {
            //convert to a PKIF object
            CPKIFCertificatePtr tmpCert(new CPKIFCertificate);
            tmpCert->Decode(curCert->data, curCert->numocts);

            //see if there's a match - if so return a buffer containing raw cert
            if(NULL != serial && issuer != (CPKIFName*)NULL)
            {
                if(0 == strcmp(serial, tmpCert->SerialNumber()) &&
                    *issuer == *tmpCert->Issuer())
                    return tmpCert->Encoded();
            }
            else
            {
                CPKIFSubjectKeyIdentifierPtr skidFromCert = tmpCert->GetExtension<CPKIFSubjectKeyIdentifier>();
                if(skidFromCert != (CPKIFSubjectKeyIdentifier*)NULL)
                {
                    CPKIFBufferPtr skidValue = skidFromCert->KeyIdentifier();
                    if(*skidValue == *skid)
                        return tmpCert->Encoded();
                }
            }
        }
        catch(CPKIFException&)
        {
            //EXCEPTION DELETION
            //eat any exceptions - if we fail to find a cert we'll report that but
            //not any failures to parse certs in the bag
            //delete e;
        }

        cur = cur->next;
    }   

    CPKIFCertificateList certBagContents;
    GetCertificates(certBagContents);

    CPKIFCertificateList::iterator cPos;
    CPKIFCertificateList::iterator cEnd = certBagContents.end();
    for(cPos = certBagContents.begin(); cPos != cEnd; ++cPos)
    {
        try
        {
            //see if there's a match - if so return a buffer containing raw cert
            if(NULL != serial && issuer != (CPKIFName*)NULL)
            {
                if(0 == strcmp(serial, (*cPos)->SerialNumber()) &&
                    *issuer == *(*cPos)->Issuer())
                    return (*cPos)->Encoded();
            }
            else
            {
                CPKIFSubjectKeyIdentifierPtr skidFromCert = (*cPos)->GetExtension<CPKIFSubjectKeyIdentifier>();
                if(skidFromCert != (CPKIFSubjectKeyIdentifier*)NULL)
                {
                    CPKIFBufferPtr skidValue = skidFromCert->KeyIdentifier();
                    if(*skidValue == *skid)
                        return (*cPos)->Encoded();
                }
            }
        }
        catch(CPKIFException&)
        {
            //EXCEPTION DELETION
            //eat any exceptions - if we fail to find a cert we'll report that but
            //not any failures to parse certs in the bag
            //delete e;
        }

    }


    try
    {
        //if we get here then we's empty handed.  poke around any associated cert stores
        //if a search interface is available
        IPKIFCertSearch* certSearch = NULL;
        if(NULL != GetMediator())
            certSearch = GetMediator()->GetMediator<IPKIFCertSearch>();
        if(NULL != certSearch)
        {
            CPKIFCertificateList certList;
            if(1 == tmpSignerInfo->sid.t)
            {
                //issuer/serial
                CPKIFIssuerNameAndSerialNumberBasedSearch inasnbs;
                inasnbs.SetIssuerName(issuer);
                            // new
                CPKIFStringPtr serialStr (new std::string(serial));
                inasnbs.SetSerialNumber(serialStr);
                
                // old
                            //inasnbs.SetSerialNumber(CPKIFStringPtr(new std::string(serial)));

                certSearch->FindCertificates(&inasnbs, certList, ALL);
            }
            else if(2 == tmpSignerInfo->sid.t)
            {
                //skid
                CPKIFKeyIDBasedSearch kidbs;
                kidbs.SetKeyID(skid);

                certSearch->FindCertificates(&kidbs, certList, ALL);
            }

            //it's possible that we find more than one cert - however we'll just operate using the first one
            if(!certList.empty())
            {
                return certList.front()->Encoded();
            }
        }
    }
    catch(...)
    {
    }

    CPKIFBufferPtr tmpBP;
    return tmpBP;
}

CPKIFBufferPtr CPKIFSignedDataImpl::GetSignersCert(
    CACCMSSignerInfo* tmpSignerInfo)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetSignersCert(CACCMSSignerInfo* tmpSignerInfo)", TOOLKIT_CRYPTO_MISC, 0, this);

    //given a signer info structure search the cert bag for the signer's certificate

    CPKIFNamePtr issuer;
    const char* serial = NULL;
    CPKIFBufferPtr skid;

    if(NULL == tmpSignerInfo || NULL == m_signedData || NULL == m_signedData->data())
        return skid; //not returning skid - just a handy empty buffer object

    //first determine if we are searching using key id or iss dn/serial number
    if(1 == tmpSignerInfo->sid.t)
    {
        //issuer/serial
        serial = tmpSignerInfo->sid.u.issuerAndSerialNumber->serialNumber;

        CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
        ASN1OpenType* data1 = objPDU.Encode(&(tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer));
        CPKIFBufferPtr tmpBuf;
        if(data1 != NULL)
        {
             tmpBuf = CPKIFBufferPtr(new CPKIFBuffer(data1->data, data1->numocts));
            delete data1;
        }
        CPKIFNamePtr tmpNP(new CPKIFName(tmpBuf));
        //CPKIFNamePtr tmpNP(new CPKIFName(tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer));
        issuer = tmpNP;
    }
    else if(2 == tmpSignerInfo->sid.t)
    {
        //skid
        CPKIFBufferPtr tmpBP(new CPKIFBuffer(tmpSignerInfo->sid.u.subjectKeyIdentifier->data, tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts));
        skid = tmpBP;
    }
    else
    {
        CPKIFBufferPtr tmpBP;
        return tmpBP;
    }

    //iterate over all certs in the cert bag
    DListNode* cur = NULL;
    if((*m_signedData)->m.certificatesPresent && 0 < (*m_signedData)->certificates.count)   //added 11/6/2003 - head is not necessarily NULL 
        cur = (*m_signedData)->certificates.head;
    while(NULL != cur)
    {
        CACCMSCertificateChoices* curChoice = (CACCMSCertificateChoices*)cur->data;

        if(T_CACCMSCertificateChoices_certificate != curChoice->t)
        {
            cur = cur->next;
            continue;
        }
        ASN1OpenType* curCert = (ASN1OpenType*)curChoice->u.certificate;

        try
        {
            //convert to a PKIF object
            CPKIFCertificatePtr tmpCert(new CPKIFCertificate);
            tmpCert->Decode(curCert->data, curCert->numocts);

            //see if there's a match - if so return a buffer containing raw cert
            if(NULL != serial && issuer != (CPKIFName*)NULL)
            {
                if(0 == strcmp(serial, tmpCert->SerialNumber()) &&
                    *issuer == *tmpCert->Issuer())
                    return tmpCert->Encoded();
            }
            else
            {
                CPKIFSubjectKeyIdentifierPtr skidFromCert = tmpCert->GetExtension<CPKIFSubjectKeyIdentifier>();
                if(skidFromCert != (CPKIFSubjectKeyIdentifier*)NULL)
                {
                    CPKIFBufferPtr skidValue = skidFromCert->KeyIdentifier();
                    if(*skidValue == *skid)
                        return tmpCert->Encoded();
                }
            }
        }
        catch(CPKIFException&)
        {
            //EXCEPTION DELETION
            //eat any exceptions - if we fail to find a cert we'll report that but
            //not any failures to parse certs in the bag
            //delete e;
        }

        cur = cur->next;
    }   

    CPKIFCertificateList certBagContents;
    m_parent->GetCertificates(certBagContents);

    CPKIFCertificateList::iterator cPos;
    CPKIFCertificateList::iterator cEnd = certBagContents.end();
    for(cPos = certBagContents.begin(); cPos != cEnd; ++cPos)
    {
        try
        {
            //see if there's a match - if so return a buffer containing raw cert
            if(NULL != serial && issuer != (CPKIFName*)NULL)
            {
                if(0 == strcmp(serial, (*cPos)->SerialNumber()) &&
                    *issuer == *(*cPos)->Issuer())
                    return (*cPos)->Encoded();
            }
            else
            {
                CPKIFSubjectKeyIdentifierPtr skidFromCert = (*cPos)->GetExtension<CPKIFSubjectKeyIdentifier>();
                if(skidFromCert != (CPKIFSubjectKeyIdentifier*)NULL)
                {
                    CPKIFBufferPtr skidValue = skidFromCert->KeyIdentifier();
                    if(*skidValue == *skid)
                        return (*cPos)->Encoded();
                }
            }
        }
        catch(CPKIFException&)
        {
            //EXCEPTION DELETION
            //eat any exceptions - if we fail to find a cert we'll report that but
            //not any failures to parse certs in the bag
            //delete e;
        }

    }


    try
    {
        //if we get here then we's empty handed.  poke around any associated cert stores
        //if a search interface is available
        IPKIFCertSearch* certSearch = NULL;
        if(NULL != m_med)
            certSearch = m_med->GetMediator<IPKIFCertSearch>();
        if(NULL != certSearch)
        {
            CPKIFCertificateList certList;
            if(1 == tmpSignerInfo->sid.t)
            {
                //issuer/serial
                CPKIFIssuerNameAndSerialNumberBasedSearch inasnbs;
                inasnbs.SetIssuerName(issuer);

                            // new
                CPKIFStringPtr serialStr (new std::string(serial));
                inasnbs.SetSerialNumber(serialStr);

                            // old          
                            //inasnbs.SetSerialNumber(CPKIFStringPtr(new std::string(serial)));

                certSearch->FindCertificates(&inasnbs, certList, ALL);
            }
            else if(2 == tmpSignerInfo->sid.t)
            {
                //skid
                CPKIFKeyIDBasedSearch kidbs;
                kidbs.SetKeyID(skid);

                certSearch->FindCertificates(&kidbs, certList, ALL);
            }

            //it's possible that we find more than one cert - however we'll just operate using the first one
            if(!certList.empty())
            {
                return certList.front()->Encoded();
            }
        }
    }
    catch(...)
    {
    }

    CPKIFBufferPtr tmpBP;
    return tmpBP;
}

void CPKIFSignedDataImpl::CallingAllGets()
{
    LOG_STRING_DEBUG("CPKIFSignedData::CallingAllGets()", TOOLKIT_CRYPTO_MISC, 0, this);

    //added 10/7/2003 - to avoid scope issues related to Objective buffer that
    //was being used to hold information following Encode
#if defined (WIN32) || defined (_WIN32)
    GetVersion();
#endif

    m_parent->GetEncapsulatedContent();

    CPKIFCertificateList certs;
    m_parent->GetCertificates(certs);

    CPKIFCRLList crls;
    m_parent->GetCRLs(crls);

    CPKIFSignerInfoList sis;
    m_parent->GetSignerInfos(sis);
}
void CPKIFSignedDataImpl::GetCandidateSignersCerts(
    CACCMSSignerInfo* tmpSignerInfo, 
    IPKIFNameAndKeyList& certs)
{
    LOG_STRING_DEBUG("CPKIFSignedData::GetCandidateSignersCerts(CACCMSSignerInfo* tmpSignerInfo, CPKIFCertificateList& certs)", TOOLKIT_CRYPTO_MISC, 0, this);

    //given a signer info structure search the cert bag for the signer's certificate

    CPKIFNamePtr issuer;
    const char* serial = NULL;
    CPKIFBufferPtr skid;

    if(NULL == tmpSignerInfo || NULL == m_signedData || NULL == m_signedData->data())
        return; //not returning skid - just a handy empty buffer object

    //first determine if we are searching using key id or iss dn/serial number
    if(1 == tmpSignerInfo->sid.t)
    {
        //issuer/serial
        serial = tmpSignerInfo->sid.u.issuerAndSerialNumber->serialNumber;

        CACASNWRAPPER_CREATE(CACX509V3Name, objPDU);
        ASN1OpenType* data1 = objPDU.Encode(&(tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer));
        CPKIFBufferPtr tmpBuf;
        if(data1 != NULL)
        {
             tmpBuf = CPKIFBufferPtr(new CPKIFBuffer(data1->data, data1->numocts));
            delete data1;
        }
        CPKIFNamePtr tmpNP(new CPKIFName(tmpBuf));
        //CPKIFNamePtr tmpNP(new CPKIFName(tmpSignerInfo->sid.u.issuerAndSerialNumber->issuer));
        issuer = tmpNP;
    }
    else if(2 == tmpSignerInfo->sid.t)
    {
        //skid
        CPKIFBufferPtr tmpBP(new CPKIFBuffer(tmpSignerInfo->sid.u.subjectKeyIdentifier->data, tmpSignerInfo->sid.u.subjectKeyIdentifier->numocts));
        skid = tmpBP;
    }

    //if we get here then we's empty handed.  poke around any associated cert stores
    //if a search interface is available
    try
    {
        IPKIFCertSearch* certSearch = NULL;
        if(NULL != m_med)
            certSearch = m_med->GetMediator<IPKIFCertSearch>();
        if(NULL != certSearch)
        {
            //CPKIFCertificateList certList;
            if(1 == tmpSignerInfo->sid.t)
            {
                //issuer/serial
                CPKIFIssuerNameAndSerialNumberBasedSearch inasnbs;
                inasnbs.SetIssuerName(issuer);

                // new
                CPKIFStringPtr serialStr (new std::string(serial));
                inasnbs.SetSerialNumber(serialStr);             

                certSearch->FindKeys(&inasnbs, certs, ALL);
            }
            else if(2 == tmpSignerInfo->sid.t)
            {
                //skid
                CPKIFKeyIDBasedSearch kidbs;
                kidbs.SetKeyID(skid);

                certSearch->FindKeys(&kidbs, certs, ALL);
            }

            //it's possible that we find more than one cert - however we'll just operate using the first one
            //if(!certList.empty())
            //{
            //  //return certList.front()->Encoded();
            //  copy(certList.begin(), certList.end(), back_inserter(certs));
            //}
        }
    }
    catch(CPKIFException&)
    {
        //ignore exceptions - if we don't find it we don't find it
    }

//  CPKIFBufferPtr tmpBP;
//  return tmpBP;
}

void CPKIFSignedData::SetKeyUsageChecker(CPKIFFuncStoragePtr& kuChecker)
{
    m_impl->m_kuChecker = kuChecker;
}

#ifdef NEW_VERIFY_FUNC

bool CPKIFSignedDataImpl::_Verify(
    int signerIndex, 
    CMSVerificationStatus& status, 
    CPKIFCertificatePtr& sc, 
    CMSPathValidationStatus minStatus)
{
#undef SET_BEST
#define SET_BEST \
{\
    if(curStatus > bestStatus || bestStatus == NOT_VERIFIED) \
    {\
        bestCert = candidateSignerCerts[currCertPos];\
        bestPath = m_path;\
        bestStatus = curStatus;\
    }\
}
// !!! GB: Changed certPos = candidateSignerCerts.begin();\ in this macro
// to currCertPos = 0;
#undef LOOK_FOR_MORE
#define LOOK_FOR_MORE() \
{ \
    if(lookBeyondTheBag)\
    {\
        lookBeyondTheBag = false;\
        GetCandidateSignersCerts(si, candidateSignerCerts);\
    }\
}

#undef RETURN
#define RETURN(b) \
{ \
    bool finalAnswer = b;\
    if(finalAnswer && bRetrySigWithParams)\
    {\
        CPKIFAlgorithmIdentifierPtr wp = m_valResults->GetWorkingParams();\
        key.SetWorkingParameters(wp);\
        if(!cRaw->Verify(key, hi->m_hashResult, CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize(), (unsigned char*)si->signature.data, si->signature.numocts, hi->m_hashAlg))\
        {\
            if(deleteHI)\
            {\
                delete hi;\
            }\
            bestStatus = CMS_SIGNATURE_INVALID;\
            finalAnswer = false;\
        }\
    }\
    if(deleteHI)\
    {\
        delete hi;\
    }\
    status = bestStatus;\
    m_path = bestPath;\
    return finalAnswer;\
}

    LOG_STRING_DEBUG("CPKIFSignedData::_Verify(int signerIndex, CMSVerificationStatus& status, ...", TOOLKIT_CRYPTO_MISC, 0, this);

    //initialize the outbound status to NOT_VERIFIED - i.e. set it to indicate that we haven't done anything
    //since we haven't done anything yet - this will be set to the bestStatus value in RETURN
    status = NOT_VERIFIED;

    if(!m_kuChecker)
    {
        CPKIFFuncStoragePtr keyUsageSigFunctor2(new CPKIFFuncStorage(keyUsageChecker_Signature));
        m_kuChecker = keyUsageSigFunctor2;
    }

    //curStatus should be used as a temporary status vehicle - bestStatus will maintain the high water
    //mark during processing
    CMSVerificationStatus curStatus = NOT_VERIFIED;
    bool bRetrySigWithParams = false; //added 2/17/2005
    CPKIFKeyMaterial key;

    //collect the necessary interfaces (there are other optional interfaces that will be used if present):
    //      IPKIFCryptoMisc - to prepare hashes
    //      IPKIFCryptoRawOperations - to perform signature verification
    if(NULL == m_med)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "Mediator is not available.");

    IPKIFCryptoMisc* cMisc = m_med->GetMediator<IPKIFCryptoMisc>();
    if(NULL == cMisc)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoMisc interface is not available.");
    IPKIFCryptoRawOperations* cRaw = m_med->GetMediator<IPKIFCryptoRawOperations>();
    if(NULL == cRaw)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFCryptoRawOperations interface is not available.");

    IPKIFPathBuild* cBuild = NULL;
    IPKIFPathValidate* cValidate = NULL;
    if(minStatus > PVS_NOT_VALIDATED)
    {
        cBuild = m_med->GetMediator<IPKIFPathBuild>();
        if(NULL == cBuild)
            throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFPathBuild interface is not available.");

        cValidate = m_med->GetMediator<IPKIFPathValidate>();
        if(NULL == cValidate)
            throw CPKIFMessageException(m_parent->thisComponent, COMMON_MEDIATOR_MISSING, "IPKIFPathValidate interface is not available.");
    }

    //added 3/17 CRW
    if(NULL == m_signedData->data())
        throw CPKIFMessageException(m_parent->thisComponent, MSG_INVALID_STATE, "Message has not been decoded.");

    //see if data was present that needs hashing (if m_bDetached is set then we've already hashed)
    if((*m_signedData)->encapContentInfo.m.eContentPresent && !m_bDetached)
    {
        //if content is present in the message throw out anything that was passed in via UpdateMessage
        m_detachedData.FreeHashVector();
        m_bDetached = false; //added 04/08/2003 CRW
        m_parent->UpdateMessage((unsigned char*)(*m_signedData)->encapContentInfo.eContent.data, (*m_signedData)->encapContentInfo.eContent.numocts);
    }

    CPKIFOIDPtr encapType = m_parent->GetEncapsulatedContent()->GetOID();

    //finalize all hashes (either initialized above or via external call to UpdateMessage)
    m_detachedData.FinalizeHashes(cMisc);

    //iterate over all signer infos and select the one corresponding to the requested index
    bool b = false;
    
    DListNode* cur = (*m_signedData)->signerInfos.head;
    for(int ii = 0; ii < signerIndex && NULL != cur; ++ii)
        cur = cur->next;

    //if there isn't one that corresponds to the index - fail
    if(NULL == cur)
        throw CPKIFMessageException(m_parent->thisComponent, MSG_INVALID_INDEX, "signerIndex is invalid.");

    CACCMSSignerInfo* si = (CACCMSSignerInfo*)cur->data;
    CPKIFAlgorithm * pkifAlg = GetCACHashAlg(&si->digestAlgorithm);
    if(!pkifAlg)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_UNSUPPORTED_ALG, "Unsupported hashing algorithm.");     
    PKIFCRYPTO::HASH_ALG hashAlg = pkifAlg->HashAlg();
    CPKIFBufferPtr signerCert;
    IPKIFNameAndKeyList candidateSignerCerts;
    bool lookBeyondTheBag = true;           //boolean to indicate if sources other than cert bag should be tried

    //see if a cert was passed in... 
    if(sc != (CPKIFCertificate*)NULL)
    {
        //if so use it 
//      lookBeyondTheBag = false;           //when we are passed a signer cert that is the only cert we will try
        signerCert = sc->Encoded();
        candidateSignerCerts.push_back(sc);
    }
    else
    {
        //if not look in the signers info for the cert
        CPKIFCertificatePtr tmpSC;
        m_parent->GetSignersCert(signerIndex, tmpSC);
        if(tmpSC != (CPKIFCertificate*)NULL)
        {
            signerCert = tmpSC->Encoded();
            candidateSignerCerts.push_back(tmpSC);
        }
    }

    if(candidateSignerCerts.empty())
    {
        GetCandidateSignersCerts(si, candidateSignerCerts);
    }

    IPKIFNameAndKeyPtr bestCert;                    //pointer to the best candidate cert so far
    CMSVerificationStatus bestStatus = NOT_VERIFIED;//status of bestCert
    CPKIFCertificatePathPtr bestPath;           //path associated with bestCert
    vector<CPKIFCertificatePathPtr> allPaths;   //vector containing all paths that have been tried (for bestCert and others)

    //***************************************************************************************************
    //  Next, calculate or obtain hash result for signature verification and process mandatory
    //  signed CMS attributes.
    //***************************************************************************************************
    HashInfo* hi = NULL;    //pointer to hash result calculated with the hash alg retrieved from SignerInfo
    bool deleteHI = false;  //bool to indicate if HashInfo object must be cleaned up (i.e. was created and not retrieved from parallel hash)

    //determine if signed attributes are present so we know what to hash
    if(!si->m.signedAttrsPresent)
    {
        //if no signed attrs are present then retrieve the hash of the data     
        hi = m_detachedData.GetHashInfo(hashAlg);
    }
    else
    {
        //get the hash of the data
        HashInfo* hi2 = m_detachedData.GetHashInfo(hashAlg);

        //then compute the hash over the signed attrs (this will be used for verification below)
        hi = ComputeSignedAttrHash(si, cMisc);
        deleteHI = true;

        if(!CompareHashes(hi2, si))
        {
            //if hash of data does not match the hash contained in the signed attr bag
            //or if there is no content hash in the signed attr bag then fail
            //changed from curStatus = 11/6/2003
            bestStatus = CMS_SIGNATURE_INVALID;
            RETURN(false); //no need to keep looking for a cert - the hash of the data is not correct
        }

        //added 04/28/2003
        CACASNWRAPPER_CREATE(CACCMSSignerInfo, InfoWrapper);
        ASN1OpenType *siData = InfoWrapper.Encode(si);
        CPKIFBufferPtr siBuf(new CPKIFBuffer(siData->data, siData->numocts));
        delete siData;

        //CPKIFSignerInfo tmpSI(*si);
        CPKIFSignerInfo tmpSI(siBuf);

        CPKIFContentTypeAttributePtr ct = tmpSI.GetSignedAttribute<CPKIFContentTypeAttribute>();
        if(ct == (CPKIFContentTypeAttribute*)NULL)
        {
            //changed from curStatus = 11/6/2003
            bestStatus = CMS_SIGNATURE_INVALID;
            RETURN(false); //no need to keep looking for a cert - a required attribute is not present
        }
        else
        {
            CPKIFOIDPtr ctType = ct->GetContentType();
            if(ctType == (CPKIFOID*)NULL || !(*ctType == *encapType))
            {
                //changed from curStatus = 11/6/2003
                bestStatus = CMS_SIGNATURE_INVALID;
                RETURN(false); //no need to keep looking for a cert - content type mismatch
            }
        }
            
    }

    IPKIFCertRepositoryUpdate* certUpdate = m_med->GetMediator<IPKIFCertRepositoryUpdate>();
    if(certUpdate)
    {
        CPKIFCertificateList certBagContents;
        m_parent->GetCertificates(certBagContents);

        CPKIFCertificateList::iterator cPos;
        CPKIFCertificateList::iterator cEnd = certBagContents.end();
        for(cPos = certBagContents.begin(); cPos != cEnd; ++cPos)
        {
            CPKIFBasicConstraintsPtr bc = (*cPos)->GetExtension<CPKIFBasicConstraints>();
            if(bc != (CPKIFBasicConstraints*)NULL)
            {
                if(bc->isCA())
                    certUpdate->AddCertificate(CA, *cPos);
            }
        }
    }

    IPKIFCRLRepositoryUpdate* crlUpdate = m_med->GetMediator<IPKIFCRLRepositoryUpdate>();
    if(crlUpdate)
    {
        CPKIFCRLList crlBagContents;
        m_parent->GetCRLs(crlBagContents);

        CPKIFGeneralNamePtr dummyGN;

        CPKIFCRLList::iterator cPos;
        CPKIFCRLList::iterator cEnd = crlBagContents.end();
        for(cPos = crlBagContents.begin(); cPos != cEnd; ++cPos)
        {
            crlUpdate->AddCRL(*cPos, dummyGN);
        }
    }

    if(NULL == hi)
        throw CPKIFMessageException(m_parent->thisComponent, COMMON_UNSUPPORTED_ALG, "Unsupported hashing algorithm or detached data not attached prior to invoking Verify.");      

    //At this point we have located the desired SignerInfo and we have collected 0 or more candidate 
    //certificates for that SignerInfo (either passed in as the sc param or from the cert bag associated
    //with the SignedData message).  We need to iterate over the candidate certs until we either find a cert
    //that meets our verification requirements or run out of certs to try.

    //CPKIFCertificateList::iterator certPos;       //pointer to the current position in the vector
    size_t currCertPos = 0;

    //candidateSignerCerts can change during an iteration - thus the end position should not be stored
    //changed from certPos != to certPos < 11/17/2003
    //for(certPos = candidateSignerCerts.begin(); certPos < candidateSignerCerts.end(); ++certPos)
    for(currCertPos = 0; currCertPos < candidateSignerCerts.size(); ++currCertPos)
    {
        CPKIFCertificatePtr curCert = dynamic_pointer_cast<CPKIFCertificate, IPKIFNameAndKey>(candidateSignerCerts[currCertPos]);
        if(curCert)
        {
            signerCert = curCert->Encoded();

            //prepare a key material object with the cert...
            key.SetCertificate(signerCert->GetBuffer(), signerCert->GetLength());
        }
        else
        {
            CPKIFBufferPtr empty;
            signerCert = empty;
            key.SetSubjectPublicKeyInfo(candidateSignerCerts[currCertPos]->GetSubjectPublicKeyInfo());
        }

        CPKIFAlgorithmIdentifierPtr tmpAI;
        key.SetWorkingParameters(tmpAI);
        
        //added catch block and bool to cause signature verification to be retried once we have working params
        bRetrySigWithParams = false;
        try
        {
            //then attempt verification
            if(!cRaw->Verify(key, hi->m_hashResult, CPKIFAlgorithm::GetAlg(hi->m_hashAlg)->DigestSize(), (unsigned char*)si->signature.data, si->signature.numocts, hi->m_hashAlg))
            {
                curStatus = CMS_SIGNATURE_INVALID;
                SET_BEST
                LOOK_FOR_MORE()
                continue;
            }
            else
            {
                curStatus = CMS_SIGNATURE_VERIFIED;
            }
        }
        catch(CPKIFException& ce)
        {
            if(PKIFCAPING_KEY_IMPORT_FAILED != ce.GetErrorCode() && PKIFCAPI_KEY_IMPORT_FAILED != ce.GetErrorCode() && PKIFNSS_CERT_IMPORT_FAILED != ce.GetErrorCode())
            {
                throw ce;
            }
            else
            {
                bRetrySigWithParams = true;
            }
        }

        //added 04/26/2003 - CRW
        if(PVS_NOT_VALIDATED == minStatus)
            RETURN(true);

        if(!signerCert)
        {
            IPKIFTrustAnchorPtr ta = dynamic_pointer_cast<IPKIFTrustAnchor, IPKIFNameAndKey>(candidateSignerCerts[currCertPos]);
            if(ta)
            {
                CPKIFCertificatePathPtr tmpPath(new CPKIFCertificatePath);
                m_path = tmpPath;
                m_path->SetTrustRoot(ta);
                bestPath = m_path;

                CPKIFPathValidationResultsPtr tmpValResults(new CPKIFPathValidationResults);
                m_valResults = tmpValResults;
                m_valResults->SetTargetIsTrustAnchor(true);
                m_valResults->SetTrustAnchor(ta);

                bestStatus = REV_STATUS_VERIFIED;
                RETURN(true);
            }
            else
            {
                RETURN(false);
            }
        }

        CPKIFCertificatePathPtr tmpPath(new CPKIFCertificatePath);
        m_path = tmpPath;

        allPaths.push_back(m_path);

        CPKIFPathValidationResultsPtr tmpValResults(new CPKIFPathValidationResults);
        m_valResults = tmpValResults;

        CPKIFCertificatePtr signersCert(new CPKIFCertificate());
        signersCert->Decode(signerCert->GetBuffer(), signerCert->GetLength());
        m_path->SetTarget(signersCert);

        //if settings have been associated with this object use them
        //otherwise defer to the default settings (either globally set
        //or defined to be very permissive)
        if(m_settings != (CPKIFPathSettings*)NULL)
            m_path->SetPathSettings(m_settings);

        try
        {
            //This do/while will iteratively call Build and Validate until all paths have been tried
            //or a good path has been found.  
            do
            {
                if(!cBuild->BuildPath(*m_path))
                {
                    SET_BEST
                    LOOK_FOR_MORE()
                    break;
                }
                if(cValidate->ValidatePath(*m_path, *m_valResults, m_kuChecker))
                {
                    if(NOT_REVOKED == m_valResults->GetRevocationStatusMostSevere())
                    {
                        curStatus = REV_STATUS_VERIFIED;
                        SET_BEST
                        RETURN(true);   
                    }
                    else
                    {
                        curStatus = CERT_PATH_VERIFIED;
                        //added 8/27/2004
                        SET_BEST
                        if(PVS_REV_STATUS_VERIFIED > minStatus)
                            RETURN(true);
                    }
                }
                else
                {
                    if(!m_valResults->GetBasicChecksSuccessfullyPerformed() ||
                        !m_valResults->GetCertSignaturesVerified())
                    {
                        curStatus = CERT_PATH_INVALID; //set the status but keep looking
                        SET_BEST
                    }
                    else if(REVOKED == m_valResults->GetRevocationStatusMostSevere())
                    {
                        //see if the signer was revoked - if so, stop looking and return false now
                        //if they don't match then a CA cert was revoked and we should keep looking
                        //for a good path
                        CPKIFCertificateNodeEntryPtr errantCertNode = m_valResults->GetCertificate();
                        if(errantCertNode != (CPKIFCertificateNodeEntry*)NULL)
                        {
                            CPKIFCertificatePtr errantCert = errantCertNode->GetCert();
                            if(errantCert != (CPKIFCertificate*)NULL && *errantCert == *signersCert)
                            {
                                curStatus = REV_STATUS_INVALID;
                                SET_BEST
                                LOOK_FOR_MORE()
                                break;
                            }
                            else
                            {
                                //added this condition 8/27/2004
                                curStatus = REV_STATUS_INVALID;
                                SET_BEST
                                RETURN(false)
                            }
                        }
                    }
                    else if(m_valResults->GetBasicChecksSuccessfullyPerformed() &&
                        m_valResults->GetCertSignaturesVerified())
                    {
                        curStatus = CERT_PATH_VERIFIED; //verification successful but revocation not checked
                        SET_BEST
                        if(PVS_REV_STATUS_VERIFIED > minStatus) //if min say OK return true - else keep looking
                            RETURN(true);
                    }
                }
            }while(1);
        }
        catch(CPKIFException& e)
        {
            LOG_STRING_ERROR(e.print()->c_str(), m_parent->thisComponent, COMMON_UNKNOWN_ERROR, this);
            SET_BEST
            LOOK_FOR_MORE()
        }
    }

    RETURN(false);
}
#endif