Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

228 lines
6.9 KiB

  1. ================================================================================
  2. Data Structures
  3. ================================================================================
  4. Certificate Object
  5. This is the main object for caching of trust information for a certificate. It
  6. contains information which will be used to build the chain context. This data
  7. is specified as follows:
  8. Certificate Object Identifier (MD5 hash of issuer and serial no.)
  9. Certificate Context
  10. Pre calculated Trust Status Bits
  11. CERT_TRUST_IS_SELF_SIGNED
  12. CERT_TRUST_IS_IN_ROOT_STORE
  13. CERT_TRUST_HAS_EXACT_MATCH_ISSUER
  14. CERT_TRUST_IS_SIGNATURE_VALID (if it is self-signed)
  15. Enhanced Key Usage (merged and sorted)
  16. Issuer Certificate Objects (list)
  17. CERT_TRUST_IS_SIGNATURE_VALID for each issuer
  18. CERT_TRUST_IS_TIME_NESTED for each issuer
  19. CERT_TRUST_IS_SIGNATURE_VALID for issuer simple chain
  20. CERT_TRUST_IS_TIME_NESTED For issuer simple chain
  21. Trust List Entry Objects (LRU bounded list)
  22. Revocation Entry Object
  23. Construction of a Certificate Object given a certificate context is as follows:
  24. Certificate Object Identifier is calculated
  25. Certificate Context is duplicated
  26. If the subject name and issuer name are equal then
  27. CERT_TRUST_IS_SELF_SIGNED is set
  28. If it is in the root store then
  29. CERT_TRUST_IS_IN_ROOT_STORE is set
  30. If it has the Authority Key Identifier extension then
  31. CERT_TRUST_HAS_EXACT_MATCH_ISSUER is set
  32. Enhanced Key Usage is calculated based on extensions and properties.
  33. Initialize Issuer Certificate Objects list
  34. If !CERT_TRUST_IS_SELF_SIGNED then
  35. If CERT_TRUST_HAS_EXACT_MATCH_ISSUER then
  36. FindExactMatchIssuersInEngine
  37. RetrieveExactMatchIssuersByUrl
  38. Otherwise
  39. FindNameMatchIssuersInEngine
  40. Trust List Entry Objects is set to NULL
  41. Revocation Entry Object is set to NULL
  42. FindExactMatchIssuersInEngine
  43. Check Certificate Object Cache for objects which match the given issuer
  44. and serial no. ( certificate object identifier )
  45. Add them to the Issuer Certificate Objects list
  46. Check configured stores for certificates which have the same Issuer
  47. and Serial No. and for each certificate
  48. If not found by hash in the Certificate Object Cache then
  49. Create Certificate Object
  50. Add to the Certificate Object Cache
  51. Add to the Issuer Certificate Objects list
  52. RetrieveExactMatchIssuersByUrl
  53. Retrieve the certificate using the encoded URL
  54. Check the Certificate Object Cache for object matching the certificate
  55. hash
  56. If not found by hash then
  57. Create Certificate Object
  58. Add to the Certificate Object Cache
  59. Add to Issuer Certificate Objects list
  60. FindNameMatchIssuersInEngine
  61. Get the issuer name from the certificate context in the certificate
  62. object
  63. Check the Certificate Object Cache for objects whose subject name
  64. match the issuer name retrieved
  65. Add them to the Issuer Certificate Objects list
  66. Check configured stores for certificates whose subject name match
  67. the issuer name retrieved and for each certificate
  68. If not found by hash in the Certificate Object Cache then
  69. Create Certificate Object
  70. Add to the Certificate Object Cache
  71. Add to the Issuer Certificate Objects list
  72. GetIssuer
  73. Given a set of parameters (time, usage, additional store) determine
  74. the best issuer certificate object from the issuer certificate object
  75. list
  76. Assign values for the various characteristics given here in order of
  77. importance:
  78. Simple Chain Signature Validity
  79. Single Issuer Signature Validity
  80. Usage
  81. Time Validity
  82. Simple Chain Time Nesting
  83. Single Issuer Time Nesting
  84. If the Issuer Certificate Objects list is NULL and
  85. !CERT_TRUST_IS_SELF_SIGNED then
  86. Initialize the Issuer Certificate Objects list from the
  87. additional store
  88. Search the list for the best issuer using a calculated quality value
  89. Certificate Object Cache
  90. This is an LRU maintained cache of certificate object references keyed by the
  91. following:
  92. Certificate Object Identifier
  93. Subject Name
  94. Issuer Name
  95. Certificate Hash (MD5)
  96. Trust List Entry Object
  97. This object represents a certificate's entry in a trust list. The information
  98. contained is as follows:
  99. Trust List Object
  100. CTL Entry
  101. Trust List Object
  102. This object represents a CTL and wraps the CTL context. It also caches
  103. certificate object references which are in this CTL and have been seen by
  104. this chain engine. The information contained is as follows:
  105. Trust List Identifier
  106. Enhanced Key Usage
  107. CTL Context
  108. CTL Subject Certificate Objects (LRU bounded list)
  109. CTL Signer Certificate Object
  110. Trust List Object Cache
  111. This is a cache of trust list object references keyed by the following:
  112. Trust List Identifier
  113. Trust List Usage (Individual usages are separated)
  114. The cache is initialized from the "trust" store at creation of the chain engine
  115. and updated when the store changes.
  116. Revocation Entry Object
  117. This object represents a certificate's current revocation state. The
  118. information contained is as follows:
  119. Revocation List Object
  120. CRL Entry
  121. Revocation List Object
  122. This object represents a CRL and wraps the CRL context. It also caches
  123. certificate object references which are in this CRL and have been seen by
  124. this chain engine. The information contained is as follows:
  125. Revocation List Origin Identifier
  126. CRL context
  127. CRL Entry Certificate Objects (list)
  128. CRL Issuer Certificate Object
  129. Revocation List Object Cache
  130. This is an LRU maintained cache of revocation object references keyed by the
  131. revocation list origin identifier
  132. ================================================================================
  133. Algorithms
  134. ================================================================================
  135. CertGetCertificateChain
  136. Find end cert in certificate object cache and if not found create a
  137. temporary certificate object
  138. Make the end certificate object the current certificate object and until
  139. there are no more current objects do the following:
  140. Add the current object to the current simple chain
  141. Get the issuer of the current object
  142.