CPKIFPathBasicChecks2 Class Reference

#include <PKIFPathBasicChecks2.h>

List of all members.

Detailed Description

CPKIFPathBasicChecks2 implements the path validation algorithm defined in X.509, excluding certificate signature verification and revocation status checking. This class is used internally by CPKIFPathValidator2, which completes the path validation process by invoking signature verification and revocation status checking.

TSP-enforcing: No

Definition at line 28 of file PKIFPathBasicChecks2.h.


Public Member Functions

 CPKIFPathBasicChecks2 (void)
virtual ~CPKIFPathBasicChecks2 (void)

Static Public Member Functions

static bool DoChecks (const CPKIFCertificatePath &path, CPKIFPathValidationResults &results, CPKIFFuncStoragePtr &funcs)

Constructor & Destructor Documentation

CPKIFPathBasicChecks2::CPKIFPathBasicChecks2 ( void   ) 

Interface: External

This function creates and initializes CPKIFPathBasicChecks2 objects.

Returns:
None

Definition at line 53 of file CACPathBasicChecks2.cpp.

References LOG_STRING_DEBUG, and TOOLKIT_PATH_BASIC_CHECKS.

CPKIFPathBasicChecks2::~CPKIFPathBasicChecks2 ( void   )  [virtual]

Interface: External

This function destroys a CPKIFPathBasicChecks2 object.

Returns:
None

Definition at line 64 of file CACPathBasicChecks2.cpp.

References LOG_STRING_DEBUG, and TOOLKIT_PATH_BASIC_CHECKS.

Member Function Documentation

bool CPKIFPathBasicChecks2::DoChecks ( const CPKIFCertificatePath path,
CPKIFPathValidationResults results,
CPKIFFuncStoragePtr &  funcs 
) [static]

Interface: External

The DoChecks method implements the path validation algorithm defined in X.509 (excluding signature verification and revocation status checking).

The path parameter must contain a certification path consisting of at least one certificate and a trust anchor and must include a CPKIFPathSettings object. The trust anchor must be available in the form of a certificate. PKIF does not currently support non-certificate-based trust anchors. If these pre-conditions are not satisfied, a CPKIFPathException is thrown with an appropriate error code indication.

The current system time is used as the time of interest unless an alternative time is available via the GetValidationTime function on the CPKIFPathSettings object. The alternative time value may be specified by the application via the SetValidationTime function.

This function creates a new CPKIFCertStatus object for each CPKIFCertificateNodeEntry object in the certification path. Validation proceeds from the certificate nearest the trust root to the target certificate. Status information is filled in as each certificate is processed.

If an error occurs, the application specified callback is invoked, if available from the path settings object. If the callback function returns true, the error is ignored and processing continues. If the callback returns false, processing halts and the CPKIFCertStatus object of the current certificate is updated to indicate the reason for failure. The following errors may be returned: 

	PATH_SIGNATURE_VERIFICATION_FAILED, 
	PATH_NAME_CHAINING_VIOLATION, 
	PATH_VALIDITY_PERIOD_VIOLATION, 
	PATH_NAME_CONSTRAINTS_VIOLATION, 
	PATH_LENGTH_VIOLATION, 
	PATH_BASIC_CONSTRAINTS_VIOLATION, 
	PATH_KEY_USAGE_VIOLATION, 
	PATH_NULL_AUTH_POLICY_SET, 
	PATH_APP_DEFINED_CHECK_FAILED, 
	PATH_UNPROCESSED_CRITICAL_EXTENSION, or
	PATH_NULL_USER_POLICY_SET

As mentioned above, this function does not perform signature verification processing. The PATH_SIGNATURE_VERIFICATION_FAILED is returned if algorithm chaining fails, i.e. a certificate is signed using one algorithm and the adjacent issuer in the path features a public key for a different algorithm.

The PATH_APP_DEFINED_CHECK_FAILED error code indicates that an application-defined function passed via the funcs parameter throws a CPKIFException. The exception is ignored and the status is updated with the PATH_APP_DEFINED_CHECK_FAILED error code. For each certificate in the path (excluding the trust anchor), the function pointers passed via funcs are invoked in the order they were added to the CPKIFFuncStorage object until all functions have been invoked or an exception is raised.

Information is returned via the results parameter.

Returns:
This function returns true if validation was successful and false otherwise. Information regarding the cause of a path validation failure is reported via the CPKIFCertStatus object associated with the certificate that was being processed when the failure occurred. This can be retrieved by invoking GetCertificate on the CPKIFPathValidationResults object.
Exceptions:
CPKIFPathException(COMMON_INVALID_INPUT) 
CPKIFPathException(PATH_TRUST_ROOT_NOT_SET) 
Parameters:
path  [in] CPKIFCertificatePath object containing the certification path to validate
results  [out] Reference to a CPKIFPathValidationResults object to which path validation results should be written
funcs  [in] Optional pointer to a CPKIFFuncStorage object containing pointers to application defined functions that extend the path validation functionality

Definition at line 124 of file CACPathBasicChecks2.cpp.

References AddPoliciesToAuthSet(), CPKIFPathSettings::ANY_POLICY, ASN1_DECODE_ERROR, CheckNameConstraints(), COMMON_INVALID_INPUT, CPKIFTime::CurrentTime(), PKIFENUMS::EE, CPKIFFuncStorage::empty(), ERROR_OVERRIDE, CPKIFPathSettings::EXPLICIT_POLICY, GetAlgClass(), CPKIFPathValidationResults::GetAuthorityConstrainedSet(), CPKIFException::GetDescription(), CPKIFException::GetErrorCode(), CPKIFFuncStorageSingleton::GetInstance(), CPKIFCertificatePath::GetPath(), CPKIFCertificatePath::GetPathSettings(), IPKIFNameAndKey::GetSubjectPublicKeyInfo(), CPKIFCertificatePath::GetTrustRoot(), PKIFENUMS::INTERMEDIATE, IntersectSets(), IntersectSubtrees(), LOG_STRING_DEBUG, PATH_APP_DEFINED_CHECK_FAILED, PATH_BASIC_CONSTRAINTS_VIOLATION, PATH_KEY_USAGE_VIOLATION, PATH_LENGTH_VIOLATION, PATH_NAME_CHAINING_VIOLATION, PATH_NAME_CONSTRAINTS_VIOLATION, PATH_NULL_AUTH_POLICY_SET, PATH_NULL_USER_POLICY_SET, PATH_SIGNATURE_VERIFICATION_FAILED, PATH_TRUST_ROOT_NO_CERT, PATH_TRUST_ROOT_NOT_SET, PATH_UNPROCESSED_CRITICAL_EXTENSION, PATH_VALIDITY_PERIOD_VIOLATION_EXPIRED, PATH_VALIDITY_PERIOD_VIOLATION_NOT_YET_VALID, CPKIFPathSettings::POLICY_MAPPING, ProcessPolicyMapping(), RAISE_PATH_EXCEPTION, CPKIFPathValidationResults::SetAuthorityConstrainedSet(), CPKIFPathValidationResults::SetBasicChecksSuccessfullyPerformed(), CPKIFPathValidationResults::SetCertificate(), CPKIFPathValidationResults::SetExcludedSubtrees(), CPKIFPathValidationResults::SetExplicitPolicyIndicator(), CPKIFPathValidationResults::SetPendingAnyPolicy(), CPKIFPathValidationResults::SetPendingExplicitPolicy(), CPKIFPathValidationResults::SetPendingPathLength(), CPKIFPathValidationResults::SetPendingPolicyMapping(), CPKIFPathValidationResults::SetPermittedSubtrees(), CPKIFPathValidationResults::SetTrustAnchor(), CPKIFPathValidationResults::SetUserConstrainedSet(), and TOOLKIT_PATH_BASIC_CHECKS.

Referenced by PathOK(), and CPKIFPathValidator2::ValidatePath().

The documentation for this class was generated from the following files:
Generated on Mon Nov 15 11:20:32 2010 for PublicKeyInfrastructureFramework(PKIF) by  doxygen 1.5.6