TimestampVerifier.cpp

Go to the documentation of this file.
00001 
00010 #include "AlgorithmIdentifier.h"
00011 #include "Buffer.h"
00012 #include "CRLEntry.h"
00013 #include "Certificate.h"
00014 #include "ContentInfo.h"
00015 #include "Duration.h"
00016 #include "EncapsulatedContentInfo.h"
00017 #include "ExtendedKeyUsage.h"
00018 #include "GottaMatch.h"
00019 #include "IPKIFCryptoMisc.h"
00020 #include "IPKIFHashContext.h"
00021 #include "IPKIFPathValidate.h"
00022 #include "MessageImprint.h"
00023 #include "OCSP.h"
00024 #include "OCSPResponse.h"
00025 #include "OID.h"
00026 #include "PKIFCRLInfo.h"
00027 #include "PKIFCertStatus.h"
00028 #include "PKIFFuncStorage.h"
00029 #include "PKIFMediators.h"
00030 #include "PKIFOCSPInfo.h"
00031 #include "PKIFTSP.h"
00032 #include "PKIFTime.h"
00033 #include "ParallelHash.h"
00034 #include "PathResults.h"
00035 #include "Period.h"
00036 #include "RevocationSource.h"
00037 #include "SignedData.h"
00038 #include "SingleResponse.h"
00039 #include "TSPException.h"
00040 #include "TSTInfo.h"
00041 #include "TimestampVerifier.h"
00042 #include "ToolkitUtils.h"
00043 #include "Validity.h"
00044 #include "pkiftsperrors.h"
00045 #include "SignerInfo.h"
00046 #include "SigningCertificateAttribute.h"
00047 #include "ESSCertId.h"
00048 #include "GeneralName.h"
00049 #include "Name.h"
00050 
00051 #include <vector>
00052 
00053 
00055 
00056 struct CPKIFTimestampVerifierImpl
00057 {
00058     CPKIFTimestampVerifier *m_parent;
00059 
00060     //inputs
00061     IPKIFMediatorPtr m_externalMediator;                    //use if set by caller
00062     IPKIFMediatorPtr m_internalMediator;                    //allocated if external is not set
00063     CMSPathValidationStatus m_verificationStatusMinumum;
00064     CPKIFPathSettingsPtr m_pathSettings;
00065     int m_skew;
00066     CPKIFTimePtr m_time;
00067 
00068     //data-related members
00069     CPKIFBufferPtr m_orig;
00070     CPKIFBufferPtr m_hash; 
00071     PKIFCRYPTO::HASH_ALG m_ha;
00072     CPKIFParallelHashPtr m_ph;
00073     CPKIFBufferPtr GetHash(PKIFCRYPTO::HASH_ALG ha);
00074     CPKIFBufferPtr GetHash(PKIFCRYPTO::HASH_ALG ha, CPKIFBufferPtr buffToHash);
00075 
00076     //outputs
00077     CMSVerificationStatus m_verificationStatusResult;
00078     CPKIFCertificatePathPtr m_path;
00079     CPKIFPathValidationResultsPtr m_pvResults;
00080     CPKIFCertificatePtr m_tsaCert;
00081     CPKIFTimePtr m_dateTime;
00082 
00083     void MakeInternalMediator();
00084 };
00085 
00093 CPKIFBufferPtr CPKIFTimestampVerifierImpl::GetHash(
00095     PKIFCRYPTO::HASH_ALG ha)
00096 {
00097     LOG_STRING_DEBUG("CPKIFTimestampVerifier::GetHash(HASH_ALG ha)", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00098 
00099     CPKIFBufferPtr emptyBP;
00100 
00101     if(m_hash != (CPKIFBuffer*)NULL)
00102     {
00103         if(ha == m_ha)
00104             return m_hash;
00105         else
00106             return emptyBP;
00107     }
00108 
00109     if(m_orig != (CPKIFBuffer*)NULL)
00110     {
00111         IPKIFMediatorPtr activeMediator;
00112         if(m_externalMediator)
00113             activeMediator = m_externalMediator;
00114         else
00115             activeMediator = m_internalMediator;
00116 
00117         if(activeMediator != (IPKIFMediator*)NULL)
00118         {
00119             IPKIFCryptoMisc* cm = activeMediator->GetMediator<IPKIFCryptoMisc>();
00120             if(cm)
00121             {
00122                 IPKIFHashContext* hc = cm->HashInit(ha);
00123                 if(hc)
00124                 {
00125                     CPKIFBufferPtr newBP(new CPKIFBuffer);
00126                     unsigned char* hashResult = newBP->AllocateBuffer(ha);
00127                     int resultLen = ha;
00128                     cm->HashUpdate(hc, (unsigned char*)m_orig->GetBuffer(), m_orig->GetLength());
00129                     cm->HashFinal(hc, hashResult, &resultLen);
00130                     delete hc;
00131                     return newBP;
00132                 }
00133             }
00134         }
00135     }
00136 
00137     if(m_ph != (CPKIFParallelHash*)NULL)
00138     {
00139         HashInfo* hi = m_ph->GetHashInfo(ha);
00140         if(NULL != hi)
00141         {
00142             CPKIFBufferPtr newBP(new CPKIFBuffer(hi->m_hashResult, hi->m_hashAlg));
00143             return newBP;
00144         }
00145     }
00146 
00147     return emptyBP;
00148 }
00149 
00157 CPKIFBufferPtr CPKIFTimestampVerifierImpl::GetHash(
00159     PKIFCRYPTO::HASH_ALG ha,
00161     CPKIFBufferPtr buffToHash)
00162 {
00163     LOG_STRING_DEBUG("CPKIFTimestampVerifier::GetHash(HASH_ALG ha)", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00164 
00165     CPKIFBufferPtr emptyBP;
00166 
00167     if(m_hash != (CPKIFBuffer*)NULL)
00168     {
00169         if(ha == m_ha)
00170             return m_hash;
00171         else
00172             return emptyBP;
00173     }
00174 
00175     if(m_orig != (CPKIFBuffer*)NULL)
00176     {
00177         IPKIFMediatorPtr activeMediator;
00178         if(m_externalMediator)
00179             activeMediator = m_externalMediator;
00180         else
00181             activeMediator = m_internalMediator;
00182 
00183         if(activeMediator != (IPKIFMediator*)NULL)
00184         {
00185             IPKIFCryptoMisc* cm = activeMediator->GetMediator<IPKIFCryptoMisc>();
00186             if(cm)
00187             {
00188                 IPKIFHashContext* hc = cm->HashInit(ha);
00189                 if(hc)
00190                 {
00191                     CPKIFBufferPtr newBP(new CPKIFBuffer);
00192                     unsigned char* hashResult = newBP->AllocateBuffer(ha);
00193                     int resultLen = ha;
00194                     cm->HashUpdate(hc, (unsigned char*)buffToHash->GetBuffer(), buffToHash->GetLength());
00195                     cm->HashFinal(hc, hashResult, &resultLen);
00196                     delete hc;
00197                     return newBP;
00198                 }
00199             }
00200         }
00201     }
00202 
00203     if(m_ph != (CPKIFParallelHash*)NULL)
00204     {
00205         HashInfo* hi = m_ph->GetHashInfo(ha);
00206         if(NULL != hi)
00207         {
00208             CPKIFBufferPtr newBP(new CPKIFBuffer(hi->m_hashResult, hi->m_hashAlg));
00209             return newBP;
00210         }
00211     }
00212 
00213     return emptyBP;
00214 }
00215 
00223 void CPKIFTimestampVerifierImpl::MakeInternalMediator()
00224 {
00225     LOG_STRING_DEBUG("CPKIFTimestampVerifier::MakeInternalMediator()", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00226 }
00227 
00229 
00230 void EKUChecker_TimestampTSP(const CPKIFCertificateNodeEntryPtr& certNode, CPKIFPathValidationResults& results, CertificateType type);
00241 CPKIFTimestampVerifier::CPKIFTimestampVerifier()
00242   :m_impl(new CPKIFTimestampVerifierImpl)
00243 {
00244     LOG_STRING_DEBUG("CPKIFTimestampVerifier::CPKIFTimestampVerifier()", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00245 
00246     m_impl->m_parent = this;
00247     m_impl->m_verificationStatusMinumum = PVS_REV_STATUS_VERIFIED;
00248     m_impl->m_verificationStatusResult = NOT_VERIFIED;
00249     //m_impl->m_skew = 3600; //# of seconds in 1 hour
00250     m_impl->m_skew = -1; //<0 skew not used
00251 }
00259 CPKIFTimestampVerifier::~CPKIFTimestampVerifier()
00260 {
00261     LOG_STRING_DEBUG("CPKIFTimestampVerifier::~CPKIFTimestampVerifier()", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00262 
00263     if (m_impl)
00264     {
00265         delete m_impl;
00266     }
00267 }
00268 
00269 //INPUTS
00278 void CPKIFTimestampVerifier::SetMediator(
00281     IPKIFMediatorPtr& m)
00282 {
00283     m_impl->m_externalMediator = m;
00284 }
00295 void CPKIFTimestampVerifier::SetMinimumVerificationStatus(
00297     CMSPathValidationStatus v)
00298 {
00299     m_impl->m_verificationStatusMinumum = v;
00300 }
00311 void CPKIFTimestampVerifier::SetPathSettings(
00314     CPKIFPathSettingsPtr& p)
00315 {
00316     m_impl->m_pathSettings = p;
00317 }
00326 void CPKIFTimestampVerifier::SetSkew(
00329     int seconds)
00330 {
00331     m_impl->m_skew = seconds;
00332 }
00340 void CPKIFTimestampVerifier::SetComparisonTime(
00343     CPKIFTimePtr& time)
00344 {
00345     m_impl->m_time = time;
00346 }
00347 
00348 //OUTPUTS
00356 CMSVerificationStatus CPKIFTimestampVerifier::GetVerificationStatus() const
00357 {
00358     return m_impl->m_verificationStatusResult;
00359 }
00367 CPKIFCertificatePathPtr CPKIFTimestampVerifier::GetCertificatePath() const
00368 {
00369     return m_impl->m_path;
00370 }
00378 CPKIFPathValidationResultsPtr CPKIFTimestampVerifier::GetPathValidationResults() const
00379 {
00380     return m_impl->m_pvResults;
00381 }
00389 CPKIFCertificatePtr CPKIFTimestampVerifier::GetTSACertificate() const
00390 {
00391     return m_impl->m_tsaCert;
00392 }
00400 CPKIFTimePtr CPKIFTimestampVerifier::GetTSADateTime() const
00401 {
00402     return m_impl->m_dateTime;
00403 }
00412 void CPKIFTimestampVerifier::SetDataComplete(
00415     CPKIFBufferPtr& origData)
00416 {
00417     LOG_STRING_DEBUG("CPKIFTimestampVerifier::SetDataComplete(CPKIFBufferPtr& origData)", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00418 
00419     CPKIFBufferPtr emptyBP;
00420     CPKIFParallelHashPtr emptyPH;
00421     m_impl->m_hash = emptyBP;
00422     m_impl->m_ph = emptyPH;
00423 
00424     m_impl->m_orig = origData;
00425 }
00433 void CPKIFTimestampVerifier::SetDataHash(
00436     CPKIFBufferPtr& hash, 
00438     PKIFCRYPTO::HASH_ALG ha)
00439 {
00440     LOG_STRING_DEBUG("CPKIFTimestampVerifier::SetDataHash(CPKIFBufferPtr& hash, HASH_ALG ha)", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00441 
00442     CPKIFBufferPtr emptyBP;
00443     CPKIFParallelHashPtr emptyPH;
00444     m_impl->m_orig = emptyBP;
00445     m_impl->m_ph = emptyPH;
00446 
00447     m_impl->m_hash = hash;
00448     m_impl->m_ha = ha;
00449 }
00459 void CPKIFTimestampVerifier::SetDataHashSet(
00462     CPKIFParallelHashPtr& ph)
00463 {
00464     LOG_STRING_DEBUG("CPKIFTimestampVerifier::SetDataHashSet(CPKIFParallelHashPtr& ph)", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00465 
00466     CPKIFBufferPtr emptyBP;
00467     m_impl->m_hash = emptyBP;
00468     m_impl->m_orig = emptyBP;
00469 
00470     m_impl->m_ph = ph;
00471 }
00472 
00473 //ACTIONS
00499 void CPKIFTimestampVerifier::Verify(
00501     CPKIFContentInfoPtr& timestamp)
00502 {
00503     LOG_STRING_DEBUG("CPKIFTimestampVerifier::Verify(CPKIFContentInfoPtr& timestamp)", TOOLKIT_TSP_TIMESTAMP_VERIFIER, 0, this);
00504 
00505     CPKIFSignedData sd;
00506 
00507     CPKIFFuncStoragePtr ekuFunctor(new CPKIFFuncStorage(EKUChecker_TimestampTSP));
00508 
00509     if(NULL != m_impl->m_externalMediator)
00510         sd.AddMediator(m_impl->m_externalMediator);
00511     else 
00512     {
00513         if(NULL == m_impl->m_internalMediator)
00514             m_impl->MakeInternalMediator();
00515 
00516         if(NULL != m_impl->m_internalMediator)
00517             sd.AddMediator(m_impl->m_internalMediator);
00518         else
00519             throw CPKIFTSPException(thisComponent, COMMON_UNKNOWN_ERROR, "Failed to create a mediator for timestamp verification.");
00520     }
00521 
00522     sd.SetPathSettings(m_impl->m_pathSettings);
00523 
00524     IPKIFPathValidate* cValidate = sd.GetMediator()->GetMediator<IPKIFPathValidate>();
00525     if(NULL != cValidate)
00526     {
00527         cValidate->SetAdditionalCertificateChecks(ekuFunctor);//replace any higher level additional checks
00528     }
00529 
00530     //Extract the signed data portion from the content info
00531     //sd.Decode(timestamp->GetContent());
00532     CPKIFBufferPtr timestampContent = timestamp->GetContent();
00533     sd.Decode(timestampContent);
00534 
00535     m_impl->m_verificationStatusResult = NOT_VERIFIED;
00536     bool minStatusMet = false;
00537     CPKIFCertificatePtr signersCert;
00538     try
00539     {
00540 
00541         //Get SignerInfos
00542         CPKIFSignerInfos tsaSIS;
00543         sd.GetSignerInfos(tsaSIS);
00544 
00545         if(tsaSIS.size() > 1)
00546         {
00547             throw CPKIFTSPException(thisComponent, TSP_MORE_THEN_ONE_SIGNER, "Timestamp contains more then one signer.");
00548         }
00549 
00550         CPKIFSigningCertificateAttributePtr sc = tsaSIS[0]->GetSignedAttribute<CPKIFSigningCertificateAttribute>();
00551 
00552         if(sc != (CPKIFSigningCertificateAttribute*)NULL)
00553         {
00554             CPKIFESSCertIdListPtr certIds = sc->GetCerts();
00555             CPKIFESSCertIdList::iterator pos = certIds->begin();
00556         
00557             //get the cert of the first (and per 3161 - only) signer
00558             //set it as the TSA regardless of the outcome of path validation
00559             sd.GetSignersCert(0, signersCert);
00560 
00561             if(pos != certIds->end())
00562             {
00563                 CPKIFBufferPtr hashedB(new CPKIFBuffer);
00564                 int hashResultLen = 20;
00565                 unsigned char* hashResult = hashedB->AllocateBuffer(hashResultLen);
00566 
00567                 IPKIFHashContext* hash = NULL;
00568                 try
00569                 {
00570                     IPKIFMediatorPtr m = GetMediator();
00571                     IPKIFCryptoMisc* cryptoMisc = m->GetMediator<IPKIFCryptoMisc>();
00572                     CPKIFBufferPtr encCert = signersCert->Encoded();
00573 
00574                     //create a hash object, pass the buffer and length we calculated and obtain the result
00575                     hash = cryptoMisc->HashInit(PKIFCRYPTO::SHA1);
00576                     cryptoMisc->HashUpdate(hash, (unsigned char*)encCert->GetBuffer(), encCert->GetLength());
00577                     cryptoMisc->HashFinal(hash, (unsigned char*)hashResult, &hashResultLen);
00578                 }
00579                 catch(CPKIFException& e)
00580                 {
00581                     if(NULL != hash)
00582                         delete hash;
00583 
00584                     throw e;
00585                 }
00586 
00587                 //clean up the hash
00588                 if(NULL != hash)
00589                     delete hash; 
00590                 
00591                 CPKIFBufferPtr hashedA = (*pos)->GetCertHash();
00592 
00593                 if(*hashedA != *hashedB)
00594                 {
00595                     throw CPKIFTSPException(thisComponent, TSP_SIGNER_ID_MISMATCH, "Timestamp signer mismatch.");
00596                 }
00597 
00598                 const char * serialA = (*pos)->GetSerialNumber();
00599                 CPKIFGeneralNameListPtr issuerNames;
00600                 (*pos)->GetIssuerName(issuerNames);
00601 
00602                 if(serialA != NULL && issuerNames != (CPKIFGeneralNameList*)NULL)
00603                 {
00604                     CPKIFGeneralNameList::iterator posName = issuerNames->begin();
00605 
00606                     if(posName != issuerNames->end())
00607                     {
00608                         CPKIFNamePtr a = (*posName)->directoryName();
00609                         CPKIFNamePtr b = signersCert->Issuer();
00610                         const char * serialB = signersCert->SerialNumber();
00611 
00612                         if(*a == *b && strcmp(serialA,serialB) == 0 )
00613                         {
00614                             //good
00615                         }
00616                         else
00617                         {
00618                             throw CPKIFTSPException(thisComponent, TSP_SIGNER_ID_MISMATCH, "Timestamp signer mismatch.");
00619                         }
00620                     }
00621                 }
00622             }
00623             else
00624             {
00625                 throw CPKIFTSPException(thisComponent, TSP_MISSING_REQUIRED_FIELD, "Missing ESSCertId in timestamp response.");
00626             }
00627         }
00628         else
00629         {
00630             throw CPKIFTSPException(thisComponent, TSP_MISSING_REQUIRED_FIELD, "Missing Signer Certificate Attribute in timestamp response.");
00631         }
00632 
00633         m_impl->m_tsaCert = signersCert;
00634 
00635         //The call to Verify on the SignedData object will take care of most
00636         //of the following three verification steps identified in RFC3161.
00637         //B-1)  The time-stamp token itself MUST be verified and it MUST be
00638         //      verified that it applies to the signature of the signer(i.e.
00639         //      inspect the message imprint, which is done below).
00640         //B-3)  The certificate used by the signer MUST be identified and
00641         //      retrieved.
00642         //B-5)  The revocation information about that certificate, at the
00643         //      date/time of the Time-Stamping operation, MUST be retrieved.
00644         minStatusMet = sd.Verify(0, m_impl->m_verificationStatusResult, m_impl->m_verificationStatusMinumum);
00645 
00646         //unset the extra check
00647         if(NULL != cValidate)
00648         {
00649             CPKIFFuncStoragePtr empty;
00650             cValidate->SetAdditionalCertificateChecks(empty);
00651         }
00652     }
00653     catch(CPKIFException& e)
00654     {
00655         //unset the extra check
00656         if(NULL != cValidate)
00657         {
00658             CPKIFFuncStoragePtr empty;
00659             cValidate->SetAdditionalCertificateChecks(empty);
00660         }
00661 
00662         CPKIFTSPException te(thisComponent, COMMON_UNKNOWN_ERROR, "Unexpected exception during timestamp verification.");
00663         te.push_info(e);
00664         throw te;
00665     }
00666 
00667     //if(m_impl->m_verificationStatusResult > CMS_SIGNATURE_VERIFIED)
00668     //{
00669         //always get the path and results from the SignedData object, empty though they may be
00670         m_impl->m_path = sd.GetPath();
00671         m_impl->m_pvResults = sd.GetValidationResults();
00672     //}
00673     //else
00674     //{
00675     //  CPKIFCertificatePathPtr emptyPath;
00676     //  m_impl->m_path = emptyPath;
00677 
00678     //  CPKIFPathValidationResultsPtr emptyResults;
00679     //  m_impl->m_pvResults = emptyResults;
00680     //}
00681 
00682     //check to see if min status was met.  if not fail unless the status was REV_STATUS_INVALID.
00683     //if revoked cert is present it's OK as long as the revocation time is after timestamp time
00684     //XXX***this needs testing after TSA is developed
00685     if(!minStatusMet && REV_STATUS_INVALID != m_impl->m_verificationStatusResult)
00686         throw CPKIFTSPException(thisComponent, TSP_VERIFICATION_FAILED, "Minimum verification status not met.");
00687 
00688     //just to make sure EKU was present
00689     CPKIFExtendedKeyUsagePtr eku = signersCert->GetExtension<CPKIFExtendedKeyUsage>();
00690     if(eku != (CPKIFExtendedKeyUsage*)NULL)
00691     {
00692         std::vector<CPKIFOIDPtr> keyPurposeIDs;
00693         eku->KeyPurposeIDs(keyPurposeIDs);
00694 
00695         GottaMatch<CPKIFOIDPtr> gm;
00696         gm.SetRHS(g_timestampingEKU);
00697 
00698         std::vector<CPKIFOIDPtr>::iterator end = keyPurposeIDs.end();
00699         if(end == find_if(keyPurposeIDs.begin(), keyPurposeIDs.end(), gm))
00700         {
00701             gm.SetRHS(g_anyEKU);
00702             if(end == find_if(keyPurposeIDs.begin(), keyPurposeIDs.end(), gm))
00703             {
00704                 throw CPKIFTSPException(thisComponent, TSP_MISSING_REQUIRED_EKU);
00705             }
00706         }
00707     }
00708 
00709     //next, extract the TSTInfo object from the SignedData structure
00710     CPKIFEncapsulatedContentInfoPtr ecip = sd.GetEncapsulatedContent();
00711     if(ecip == (CPKIFEncapsulatedContentInfo*)NULL)
00712         throw CPKIFTSPException(thisComponent, TSP_MISSING_REQUIRED_FIELD, "Timestamp has no encapsulated content info field.");
00713 
00714     CPKIFBufferPtr encodedTSTInfo = ecip->GetContent();
00715     if(encodedTSTInfo == (CPKIFBuffer*)NULL)
00716         throw CPKIFTSPException(thisComponent, TSP_MISSING_REQUIRED_FIELD, "Timestamp has no encapsulated content.");
00717 
00718     CPKIFTSTInfo tstInfo;
00719     tstInfo.Decode(encodedTSTInfo);
00720 
00721     if (tstInfo.GetVersion() != 1)
00722         throw CPKIFTSPException(thisComponent, COMMON_UNSUPPORTED_VERSION, "PKIF only supports version 1 TSP structures.");
00723 
00724     //B-1)  (continued) inspect the message imprint
00725     CPKIFMessageImprintPtr mi = tstInfo.GetMessageImprint();
00726     CPKIFBufferPtr hashFromTimestamp = mi->GetHashedMessage();
00727 
00728     CPKIFAlgorithmIdentifierPtr hashAlg = mi->GetHashAlgorithm();
00729     PKIFCRYPTO::HASH_ALG ha = PKIFCRYPTO::SHA1;
00730     GetCACHashAlg(hashAlg->oid(), &ha);
00731 
00732     CPKIFBufferPtr hashedMessage = m_impl->GetHash(ha);
00733 
00734     if(hashedMessage == (CPKIFBuffer*)NULL || !(*hashFromTimestamp == *hashedMessage))
00735         throw CPKIFTSPException(thisComponent, TSP_HASH_MISMATCH, "Timestamp hash does not match expected hash value.");
00736 
00737     //B-2)  The date/time indicated by the TSA in the TimeStampToken
00738     //      MUST be retrieved.
00739     CPKIFTimePtr time = tstInfo.GetGeneralizedTime();
00740     m_impl->m_dateTime = time;
00741     CPKIFTimePtr comparisonTime = m_impl->m_time;
00742 
00743     if(comparisonTime == (CPKIFTime*)NULL)
00744         comparisonTime = CPKIFTime::CurrentTime();
00745 
00746     if(m_impl->m_skew > 0)
00747     {
00748         CPKIFDurationPtr d(new CPKIFDuration);
00749         d->setSeconds(m_impl->m_skew/2);
00750 
00751         *time -= *d;
00752         d->setSeconds(m_impl->m_skew);
00753 
00754         CPKIFPeriod p(time, d);
00755         bool b = p.contains(comparisonTime);
00756         d->setSeconds(m_impl->m_skew/2);
00757         *time += *d;
00758         if(!b)
00759             throw CPKIFTSPException(thisComponent, TSP_NOT_WITHIN_SKEW, "Timestamp time is not within the specified acceptable time period.");
00760     }
00761 
00762     //B-4)  The date/time indicated by the TSA MUST be within the
00763     //      validity period of the signer's certificate.
00764     CPKIFValidityPtr valPer = signersCert->Validity();
00765     CPKIFTimePtr notBefore = valPer->notBefore();
00766     CPKIFTimePtr notAfter = valPer->notAfter();
00767 
00768     CPKIFPeriod p2(notBefore, notAfter);
00769     bool b2 = p2.contains(time);
00770     if(!b2)
00771         throw CPKIFTSPException(thisComponent, TSP_NOT_WITHIN_VALIDITY_PERIOD, "Timestamp time not within TSA validity period.");
00772 
00773     //B-6)  Should the certificate be revoked, then the date/time of
00774     //      revocation shall be later than the date/time indicated by
00775     //      the TSA.
00776     //revocation sources
00777     CPKIFPathValidationResultsPtr pvr = sd.GetValidationResults();
00778     if(pvr == (CPKIFPathValidationResults*)NULL)
00779     {
00780         if(!minStatusMet)
00781             throw CPKIFTSPException(thisComponent, TSP_VERIFICATION_FAILED, "Minimum verification status not met.");
00782         else
00783             return;
00784     }
00785 
00786     CPKIFCertStatusPtr certStatus = pvr->GetCertStatus();
00787     if(certStatus == (CPKIFCertStatus*)NULL)
00788     {
00789         if(!minStatusMet)
00790             throw CPKIFTSPException(thisComponent, TSP_VERIFICATION_FAILED, "Minimum verification status not met.");
00791         else
00792             return;
00793     }
00794 
00795     RevocationSourceList rsl;
00796     certStatus->GetRevocationSources(rsl);
00797 
00798     RevocationSourceList::iterator rslPos;
00799     RevocationSourceList::iterator rslEnd = rsl.end();
00800     int count = 0;
00801     bool foundRevoked = false, revocationTimeOK = false;
00802     for(rslPos = rsl.begin(), count = 1; rslPos != rslEnd; ++rslPos, ++count)
00803     {
00804         if(REVOKED == (*rslPos)->m_status)
00805         {
00806             foundRevoked = true;
00807 
00808             IPKIFRevSourceInfoPtr rsip = (*rslPos)->m_sourceInfo;
00809             switch((*rslPos)->m_sourceType)
00810             {
00811             case REVSOURCE_CRL:
00812                 {
00813                     CPKIFCRLInfoPtr crlInfo = RevInfoCast<CPKIFCRLInfo>(rsip);
00814                     if(crlInfo == (CPKIFCRLInfo*)NULL)
00815                         continue;
00816 
00817                     CPKIFCRLEntryPtr crlEntry = crlInfo->GetCRLEntry();
00818                     if(crlEntry == (CPKIFCRLEntry*)NULL)
00819                         continue;
00820 
00821                     CPKIFTimePtr revTime = crlEntry->RevocationDate();
00822                     if(revTime == (CPKIFTime*)NULL)
00823                         continue;
00824                     
00825                     if(time < revTime)
00826                         revocationTimeOK = true;
00827                 }
00828                 break;
00829             case REVSOURCE_OCSP:
00830                 {
00831                     CPKIFOCSPInfoPtr ocspInfo = RevInfoCast<CPKIFOCSPInfo>(rsip);
00832 
00833                     if(ocspInfo != (CPKIFOCSPInfo*)NULL)
00834                     {
00835                         //*******************************************************
00836                         //  general response information
00837                         //*******************************************************
00838                         CPKIFOCSPResponsePtr ocspResponse = ocspInfo->GetOCSPResponse();
00839                         if(ocspResponse == (CPKIFOCSPResponse*)NULL)
00840                             continue;
00841 
00842                         OCSPResponseStatus ors = ocspResponse->GetResponseStatus();
00843                         if(successful != ors)
00844                             continue;
00845 
00846                         //*******************************************************
00847                         //  single response information pertaining to target cert
00848                         //*******************************************************
00849                         CPKIFSingleResponsePtr singleResponse = ocspInfo->GetSingleResponse();
00850                         if(singleResponse == (CPKIFSingleResponse*)NULL)
00851                             continue;
00852 
00853                         CPKIFTimePtr revTime = singleResponse->GetThisUpdate();
00854                         if(time < revTime)
00855                             revocationTimeOK = true;
00856                     }
00857                 }
00858                 break;
00859             }
00860         }
00861     }
00862 
00863     if(foundRevoked && !revocationTimeOK)
00864         throw CPKIFTSPException(thisComponent, TSP_REVOCATION_DATE_PRECEDES_TIME, "TSA revoked before timestamp time.");
00865 }
00866 
00874 IPKIFMediatorPtr CPKIFTimestampVerifier::GetMediator() const
00875 {
00876     IPKIFMediatorPtr activeMediator;
00877     if(m_impl->m_externalMediator)
00878         activeMediator = m_impl->m_externalMediator;
00879     else
00880         activeMediator = m_impl->m_internalMediator;
00881 
00882     return activeMediator;
00883 }
00891 CMSPathValidationStatus CPKIFTimestampVerifier::GetMinimumVerificationStatus() const
00892 {
00893     return m_impl->m_verificationStatusMinumum;
00894 }
00902 CPKIFPathSettingsPtr CPKIFTimestampVerifier::GetPathSettings() const
00903 {
00904     return m_impl->m_pathSettings;
00905 }
00913 int CPKIFTimestampVerifier::GetSkew() const
00914 {
00915     return m_impl->m_skew;
00916 }
00924 CPKIFTimePtr CPKIFTimestampVerifier::GetComparisonTime() const
00925 {
00926     return m_impl->m_time;
00927 }
00928 
00929 CPKIFBufferPtr CPKIFTimestampVerifier::GetDataComplete() const
00930 {
00931     return m_impl->m_orig;
00932 }
00940 CPKIFBufferPtr CPKIFTimestampVerifier::GetDataHash(
00942     PKIFCRYPTO::HASH_ALG& ha) const
00943 {
00944     ha = m_impl->m_ha;
00945     return m_impl->m_hash;
00946 }
00954 CPKIFParallelHashPtr CPKIFTimestampVerifier::GetDataHashSet() const
00955 {
00956     return m_impl->m_ph;
00957 }
Generated on Mon Nov 15 11:15:57 2010 for PublicKeyInfrastructureFramework(PKIF) by  doxygen 1.5.6