Source code of Windows XP (NT5)
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
================================================================================ Data Structures ================================================================================
Certificate Object
This is the main object for caching of trust information for a certificate. It contains information which will be used to build the chain context. This data is specified as follows:
Certificate Object Identifier (MD5 hash of issuer and serial no.)
Certificate Context
Pre calculated Trust Status Bits
CERT_TRUST_IS_SELF_SIGNED CERT_TRUST_IS_IN_ROOT_STORE CERT_TRUST_HAS_EXACT_MATCH_ISSUER
CERT_TRUST_IS_SIGNATURE_VALID (if it is self-signed)
Enhanced Key Usage (merged and sorted)
Issuer Certificate Objects (list)
CERT_TRUST_IS_SIGNATURE_VALID for each issuer CERT_TRUST_IS_TIME_NESTED for each issuer
CERT_TRUST_IS_SIGNATURE_VALID for issuer simple chain CERT_TRUST_IS_TIME_NESTED For issuer simple chain
Trust List Entry Objects (LRU bounded list)
Revocation Entry Object
Construction of a Certificate Object given a certificate context is as follows:
Certificate Object Identifier is calculated
Certificate Context is duplicated
If the subject name and issuer name are equal then CERT_TRUST_IS_SELF_SIGNED is set
If it is in the root store then CERT_TRUST_IS_IN_ROOT_STORE is set
If it has the Authority Key Identifier extension then CERT_TRUST_HAS_EXACT_MATCH_ISSUER is set
Enhanced Key Usage is calculated based on extensions and properties.
Initialize Issuer Certificate Objects list
If !CERT_TRUST_IS_SELF_SIGNED then If CERT_TRUST_HAS_EXACT_MATCH_ISSUER then FindExactMatchIssuersInEngine RetrieveExactMatchIssuersByUrl Otherwise FindNameMatchIssuersInEngine
Trust List Entry Objects is set to NULL
Revocation Entry Object is set to NULL
FindExactMatchIssuersInEngine
Check Certificate Object Cache for objects which match the given issuer and serial no. ( certificate object identifier )
Add them to the Issuer Certificate Objects list
Check configured stores for certificates which have the same Issuer and Serial No. and for each certificate
If not found by hash in the Certificate Object Cache then Create Certificate Object Add to the Certificate Object Cache Add to the Issuer Certificate Objects list
RetrieveExactMatchIssuersByUrl
Retrieve the certificate using the encoded URL
Check the Certificate Object Cache for object matching the certificate hash
If not found by hash then Create Certificate Object Add to the Certificate Object Cache Add to Issuer Certificate Objects list
FindNameMatchIssuersInEngine
Get the issuer name from the certificate context in the certificate object
Check the Certificate Object Cache for objects whose subject name match the issuer name retrieved
Add them to the Issuer Certificate Objects list
Check configured stores for certificates whose subject name match the issuer name retrieved and for each certificate
If not found by hash in the Certificate Object Cache then Create Certificate Object Add to the Certificate Object Cache Add to the Issuer Certificate Objects list
GetIssuer
Given a set of parameters (time, usage, additional store) determine the best issuer certificate object from the issuer certificate object list
Assign values for the various characteristics given here in order of importance:
Simple Chain Signature Validity Single Issuer Signature Validity Usage Time Validity Simple Chain Time Nesting Single Issuer Time Nesting
If the Issuer Certificate Objects list is NULL and !CERT_TRUST_IS_SELF_SIGNED then Initialize the Issuer Certificate Objects list from the additional store
Search the list for the best issuer using a calculated quality value
Certificate Object Cache
This is an LRU maintained cache of certificate object references keyed by the following:
Certificate Object Identifier
Subject Name
Issuer Name
Certificate Hash (MD5)
Trust List Entry Object
This object represents a certificate's entry in a trust list. The information contained is as follows:
Trust List Object
CTL Entry
Trust List Object
This object represents a CTL and wraps the CTL context. It also caches certificate object references which are in this CTL and have been seen by this chain engine. The information contained is as follows:
Trust List Identifier
Enhanced Key Usage
CTL Context
CTL Subject Certificate Objects (LRU bounded list)
CTL Signer Certificate Object
Trust List Object Cache
This is a cache of trust list object references keyed by the following:
Trust List Identifier
Trust List Usage (Individual usages are separated)
The cache is initialized from the "trust" store at creation of the chain engine and updated when the store changes.
Revocation Entry Object
This object represents a certificate's current revocation state. The information contained is as follows:
Revocation List Object
CRL Entry
Revocation List Object
This object represents a CRL and wraps the CRL context. It also caches certificate object references which are in this CRL and have been seen by this chain engine. The information contained is as follows:
Revocation List Origin Identifier
CRL context
CRL Entry Certificate Objects (list)
CRL Issuer Certificate Object
Revocation List Object Cache
This is an LRU maintained cache of revocation object references keyed by the revocation list origin identifier
================================================================================ Algorithms ================================================================================
CertGetCertificateChain
Find end cert in certificate object cache and if not found create a temporary certificate object
Make the end certificate object the current certificate object and until there are no more current objects do the following:
Add the current object to the current simple chain
Get the issuer of the current object
|