229 lines
6.9 KiB
Plaintext
229 lines
6.9 KiB
Plaintext
|
================================================================================
|
|||
|
Data Structures
|
|||
|
================================================================================
|
|||
|
|
|||
|
Certificate Object
|
|||
|
|
|||
|
This is the main object for caching of trust information for a certificate. It
|
|||
|
contains information which will be used to build the chain context. This data
|
|||
|
is specified as follows:
|
|||
|
|
|||
|
Certificate Object Identifier (MD5 hash of issuer and serial no.)
|
|||
|
|
|||
|
Certificate Context
|
|||
|
|
|||
|
Pre calculated Trust Status Bits
|
|||
|
|
|||
|
CERT_TRUST_IS_SELF_SIGNED
|
|||
|
CERT_TRUST_IS_IN_ROOT_STORE
|
|||
|
CERT_TRUST_HAS_EXACT_MATCH_ISSUER
|
|||
|
|
|||
|
CERT_TRUST_IS_SIGNATURE_VALID (if it is self-signed)
|
|||
|
|
|||
|
Enhanced Key Usage (merged and sorted)
|
|||
|
|
|||
|
Issuer Certificate Objects (list)
|
|||
|
|
|||
|
CERT_TRUST_IS_SIGNATURE_VALID for each issuer
|
|||
|
CERT_TRUST_IS_TIME_NESTED for each issuer
|
|||
|
|
|||
|
CERT_TRUST_IS_SIGNATURE_VALID for issuer simple chain
|
|||
|
CERT_TRUST_IS_TIME_NESTED For issuer simple chain
|
|||
|
|
|||
|
Trust List Entry Objects (LRU bounded list)
|
|||
|
|
|||
|
Revocation Entry Object
|
|||
|
|
|||
|
Construction of a Certificate Object given a certificate context is as follows:
|
|||
|
|
|||
|
Certificate Object Identifier is calculated
|
|||
|
|
|||
|
Certificate Context is duplicated
|
|||
|
|
|||
|
If the subject name and issuer name are equal then
|
|||
|
CERT_TRUST_IS_SELF_SIGNED is set
|
|||
|
|
|||
|
If it is in the root store then
|
|||
|
CERT_TRUST_IS_IN_ROOT_STORE is set
|
|||
|
|
|||
|
If it has the Authority Key Identifier extension then
|
|||
|
CERT_TRUST_HAS_EXACT_MATCH_ISSUER is set
|
|||
|
|
|||
|
Enhanced Key Usage is calculated based on extensions and properties.
|
|||
|
|
|||
|
Initialize Issuer Certificate Objects list
|
|||
|
|
|||
|
If !CERT_TRUST_IS_SELF_SIGNED then
|
|||
|
If CERT_TRUST_HAS_EXACT_MATCH_ISSUER then
|
|||
|
FindExactMatchIssuersInEngine
|
|||
|
RetrieveExactMatchIssuersByUrl
|
|||
|
Otherwise
|
|||
|
FindNameMatchIssuersInEngine
|
|||
|
|
|||
|
Trust List Entry Objects is set to NULL
|
|||
|
|
|||
|
Revocation Entry Object is set to NULL
|
|||
|
|
|||
|
FindExactMatchIssuersInEngine
|
|||
|
|
|||
|
Check Certificate Object Cache for objects which match the given issuer
|
|||
|
and serial no. ( certificate object identifier )
|
|||
|
|
|||
|
Add them to the Issuer Certificate Objects list
|
|||
|
|
|||
|
Check configured stores for certificates which have the same Issuer
|
|||
|
and Serial No. and for each certificate
|
|||
|
|
|||
|
If not found by hash in the Certificate Object Cache then
|
|||
|
Create Certificate Object
|
|||
|
Add to the Certificate Object Cache
|
|||
|
Add to the Issuer Certificate Objects list
|
|||
|
|
|||
|
RetrieveExactMatchIssuersByUrl
|
|||
|
|
|||
|
Retrieve the certificate using the encoded URL
|
|||
|
|
|||
|
Check the Certificate Object Cache for object matching the certificate
|
|||
|
hash
|
|||
|
|
|||
|
If not found by hash then
|
|||
|
Create Certificate Object
|
|||
|
Add to the Certificate Object Cache
|
|||
|
Add to Issuer Certificate Objects list
|
|||
|
|
|||
|
FindNameMatchIssuersInEngine
|
|||
|
|
|||
|
Get the issuer name from the certificate context in the certificate
|
|||
|
object
|
|||
|
|
|||
|
Check the Certificate Object Cache for objects whose subject name
|
|||
|
match the issuer name retrieved
|
|||
|
|
|||
|
Add them to the Issuer Certificate Objects list
|
|||
|
|
|||
|
Check configured stores for certificates whose subject name match
|
|||
|
the issuer name retrieved and for each certificate
|
|||
|
|
|||
|
If not found by hash in the Certificate Object Cache then
|
|||
|
Create Certificate Object
|
|||
|
Add to the Certificate Object Cache
|
|||
|
Add to the Issuer Certificate Objects list
|
|||
|
|
|||
|
GetIssuer
|
|||
|
|
|||
|
Given a set of parameters (time, usage, additional store) determine
|
|||
|
the best issuer certificate object from the issuer certificate object
|
|||
|
list
|
|||
|
|
|||
|
Assign values for the various characteristics given here in order of
|
|||
|
importance:
|
|||
|
|
|||
|
Simple Chain Signature Validity
|
|||
|
Single Issuer Signature Validity
|
|||
|
Usage
|
|||
|
Time Validity
|
|||
|
Simple Chain Time Nesting
|
|||
|
Single Issuer Time Nesting
|
|||
|
|
|||
|
If the Issuer Certificate Objects list is NULL and
|
|||
|
!CERT_TRUST_IS_SELF_SIGNED then
|
|||
|
Initialize the Issuer Certificate Objects list from the
|
|||
|
additional store
|
|||
|
|
|||
|
Search the list for the best issuer using a calculated quality value
|
|||
|
|
|||
|
Certificate Object Cache
|
|||
|
|
|||
|
This is an LRU maintained cache of certificate object references keyed by the
|
|||
|
following:
|
|||
|
|
|||
|
Certificate Object Identifier
|
|||
|
|
|||
|
Subject Name
|
|||
|
|
|||
|
Issuer Name
|
|||
|
|
|||
|
Certificate Hash (MD5)
|
|||
|
|
|||
|
Trust List Entry Object
|
|||
|
|
|||
|
This object represents a certificate's entry in a trust list. The information
|
|||
|
contained is as follows:
|
|||
|
|
|||
|
Trust List Object
|
|||
|
|
|||
|
CTL Entry
|
|||
|
|
|||
|
Trust List Object
|
|||
|
|
|||
|
This object represents a CTL and wraps the CTL context. It also caches
|
|||
|
certificate object references which are in this CTL and have been seen by
|
|||
|
this chain engine. The information contained is as follows:
|
|||
|
|
|||
|
Trust List Identifier
|
|||
|
|
|||
|
Enhanced Key Usage
|
|||
|
|
|||
|
CTL Context
|
|||
|
|
|||
|
CTL Subject Certificate Objects (LRU bounded list)
|
|||
|
|
|||
|
CTL Signer Certificate Object
|
|||
|
|
|||
|
Trust List Object Cache
|
|||
|
|
|||
|
This is a cache of trust list object references keyed by the following:
|
|||
|
|
|||
|
Trust List Identifier
|
|||
|
|
|||
|
Trust List Usage (Individual usages are separated)
|
|||
|
|
|||
|
The cache is initialized from the "trust" store at creation of the chain engine
|
|||
|
and updated when the store changes.
|
|||
|
|
|||
|
Revocation Entry Object
|
|||
|
|
|||
|
This object represents a certificate's current revocation state. The
|
|||
|
information contained is as follows:
|
|||
|
|
|||
|
Revocation List Object
|
|||
|
|
|||
|
CRL Entry
|
|||
|
|
|||
|
Revocation List Object
|
|||
|
|
|||
|
This object represents a CRL and wraps the CRL context. It also caches
|
|||
|
certificate object references which are in this CRL and have been seen by
|
|||
|
this chain engine. The information contained is as follows:
|
|||
|
|
|||
|
Revocation List Origin Identifier
|
|||
|
|
|||
|
CRL context
|
|||
|
|
|||
|
CRL Entry Certificate Objects (list)
|
|||
|
|
|||
|
CRL Issuer Certificate Object
|
|||
|
|
|||
|
Revocation List Object Cache
|
|||
|
|
|||
|
This is an LRU maintained cache of revocation object references keyed by the
|
|||
|
revocation list origin identifier
|
|||
|
|
|||
|
================================================================================
|
|||
|
Algorithms
|
|||
|
================================================================================
|
|||
|
|
|||
|
CertGetCertificateChain
|
|||
|
|
|||
|
Find end cert in certificate object cache and if not found create a
|
|||
|
temporary certificate object
|
|||
|
|
|||
|
Make the end certificate object the current certificate object and until
|
|||
|
there are no more current objects do the following:
|
|||
|
|
|||
|
Add the current object to the current simple chain
|
|||
|
|
|||
|
Get the issuer of the current object
|
|||
|
|
|||
|
|
|||
|
|