CPKIFPathValidator2 Class Reference
#include <PKIFPathValidator2.h>
Detailed Description
Applications do not typically operate directly on colleague objects. Information provided in this section is intended for developers creating custom colleagues that implement similar functionality. Details of private functions and member variables are not provided.The purpose of this class is to provide an implementation of the certification path validation algorithm expressed in X.509 (and restated in RFC3280). This class breaks certification path processing into the following three stages:
Basic path validation checks (e.g. name chaining, policy processing, name constraints, etc.)
Signature verification beginning with the trust anchor and proceeding through the target certificate
Revocation status determination, which will be performed using the functionality available via the associated mediator objects
The ValidatePath function provides the implementation and takes a complete certification path as input. Result information is returned via an instance of CPKIFPathValidationResults. State information is updated on the path object to support iterative invocation of path development and path validation functionality.
TSP-enforcing: No
Definition at line 43 of file PKIFPathValidator2.h.
Public Member Functions | |
| CPKIFPathValidator2 () | |
| virtual | ~CPKIFPathValidator2 (void) |
| void | Initialize () |
| bool | ValidatePath (CPKIFCertificatePath &path, CPKIFPathValidationResults &results, CPKIFFuncStoragePtr &thisCallOnlyFuncs) |
| void | SetAdditionalCertificateChecks (CPKIFFuncStoragePtr &funcs) |
| bool | GetEnforceTrustAnchorConstraints () const |
| void | SetEnforceTrustAnchorConstraints (bool b) |
Constructor & Destructor Documentation
| CPKIFPathValidator2::CPKIFPathValidator2 | ( | ) |
Interface: External
This function creates and initializes CPKIFPathValidator2 objects.
- Returns:
- None
Definition at line 58 of file PKIFPathValidator2.cpp.
| CPKIFPathValidator2::~CPKIFPathValidator2 | ( | void | ) | [virtual] |
Interface: External
This function destroys CPKIFPathValidator2 objects.
- Returns:
- None
Definition at line 95 of file PKIFPathValidator2.cpp.
References LOG_STRING_DEBUG, and TOOLKIT_PATH_VALIDATOR.
Member Function Documentation
| void CPKIFPathValidator2::Initialize | ( | void | ) | [virtual] |
Interface: External
This function initializes an instance for use in a collection of IPKIFColleague objects held by a mediator.
- Returns:
- None
Reimplemented from IPKIFColleague.
Definition at line 111 of file PKIFPathValidator2.cpp.
References LOG_STRING_DEBUG, and TOOLKIT_PATH_VALIDATOR.
| bool CPKIFPathValidator2::ValidatePath | ( | CPKIFCertificatePath & | path, | |
| CPKIFPathValidationResults & | results, | |||
| CPKIFFuncStoragePtr & | thisCallOnlyFuncs | |||
| ) | [virtual] |
Interface: External
This function will validate the path passed via the path parameter and return status information via the results parameter. Basic path validation checks will be performed (per X.509), certificate signatures will be validated and revocation status will be determined, if possible. This function may generate an exception containing the following error code PATH_TRUST_ROOT_NO_CERT.
When trust anchor constraint enforcement is enabled, the following constraints are read from the trust anchor and used to prepare the path validation inputs:
- policies
- policy constraints (requireExplicitPolicy and inhibitPolicyMapping)
- inhibit any policy
- nameConstraints
- Returns:
- A Boolean value indicating whether a definitive answer could be determined. For example, if a path can be declared completely valid, including revocation status determination for all certificates, the function returns true. If a path can be declared invalid, due to a failure of a basic validation check or due to a revoked certificate, then the function returns true. If the validation operation cannot be completed, e.g. because some revocation information is not available, then this function returns false. The return value is primarily of interest to the associated mediator, which would consult another validation colleague upon lack of a definitive response.
- Exceptions:
-
CPKIFPathException(PATH_TRUST_ROOT_NO_CERT) CPKIFPathException(COMMON_MEDIATOR_MISSING) CPKIFPathException(COMMON_INVALID_INPUT)
- Parameters:
-
path [in] Reference to a CPKIFCertificatePath object containing the certification path to validate results [out] Reference to a CPKIFPathValidationResults object containing the results of a validation operation thisCallOnlyFuncs [out] Pointer to a CPKIFFuncStorage containing the application-defined checks to invoke during path validation
Implements IPKIFPathValidate.
Definition at line 146 of file PKIFPathValidator2.cpp.
References IPKIFRevocationStatus::CheckStatusPath(), COMMON_INVALID_INPUT, COMMON_MEDIATOR_MISSING, CPKIFPathBasicChecks2::DoChecks(), FindErrorAndSetOnResults(), g_anyPolicy, CPKIFX509ExtensionMediator2::GetInstance(), CPKIFCertificatePath::GetPath(), CPKIFCertificatePath::GetPathSettings(), CPKIFCertificatePath::GetTarget(), CPKIFCertificatePath::GetTrustRoot(), IntersectSets(), IntersectSubtrees(), LOG_STRING_DEBUG, NOT_REVOKED, PATH_LENGTH_VIOLATION, PATH_UNPROCESSED_CRITICAL_EXTENSION, PathSigChecker(), CPKIFPathValidationResults::SetCertificate(), CPKIFPathValidationResults::SetCertStatus(), CPKIFPathValidationResults::SetRevocationStatusMostSevere(), CPKIFPathValidationResults::SetTargetIsTrustAnchor(), CPKIFPathValidationResults::SetTrustAnchor(), and TOOLKIT_PATH_VALIDATOR.
| void CPKIFPathValidator2::SetAdditionalCertificateChecks | ( | CPKIFFuncStoragePtr & | funcs | ) | [virtual] |
Interface: External
This function is used to set up a functor to perform additional validation during a call to ValidatePath. For each certificate in the path, ValidatePath will invoke the functor object set via a call to this function. Functor can cause path validation to fail. Checks typically performed by functors include checking key usage or extended key usage extensions or checking private extensions.
- Returns:
- None
- Parameters:
-
funcs [in] Pointer to a CPKIFFuncStoragePtr containing the application-defined checks to invoke during path validation
Implements IPKIFPathValidate.
Definition at line 76 of file PKIFPathValidator2.cpp.
References LOG_STRING_DEBUG, and TOOLKIT_PATH_VALIDATOR.
| bool CPKIFPathValidator2::GetEnforceTrustAnchorConstraints | ( | ) | const |
GetEnforceTrustAnchorConstraints returns a boolean value indicating whether or not trust anchor constraints are enforced as part of path validation. By default, trust anchor constraints are not enforced.
- Returns:
- true if trust anchor constraints are enforced and false otherwise
Definition at line 542 of file PKIFPathValidator2.cpp.
| void CPKIFPathValidator2::SetEnforceTrustAnchorConstraints | ( | bool | b | ) |
SetEnforceTrustAnchorConstraints is used to specify a boolean value indicating whether or not trust anchor constraints are enforced as part of path validation. By default, trust anchor constraints are not enforced. This function can be used to subsequently enable or disable trust anchor constraint enforcement.
- Returns:
- true if trust anchor constraints are enforced and false otherwise
Definition at line 553 of file PKIFPathValidator2.cpp.
The documentation for this class was generated from the following files:
