[kmf-discuss] kmf_validate_cert changes

[Wyllys Ingersoll]

In order to support SSH's validation functionality, I think we need to 
do the following,
please verify.

kmf_validate_cert currently takes a single cert and an optional OCSP 
response
along with that cert.  If the OCSP response is not given, the function 
will attempt
to go over the network and get one - either by using the OCSP responder 
URI extension
in the cert or by using a fixed OCSP responder if specified in the KMF 
policy.

In order to validate an entire chain, we need to change the arguments to 
kmf_validate_cert.

I propose a new argument:

KMF_CERT_RESP_LIST_ATTR
KMF_CERT_RESP_LIST_LEN_ATTR

typedef KMF_CERT_RESP_PAIR {
    KMF_DATA *cert;
    KMF_DATA *resp;
}

The cert data must be non-null.  If the ocsp_resp data is NULL, then 
kmf_validate_cert
will go fetch an OCSP response as usual (see above).

The list of pairs MUST be in order, meaning, the cert at index 0 is the 
subject cert,
the cert at index 1 is the issuer of the one at index 0, etc etc.  The 
last cert in
the list is the trust anchor.

kmf_validate_cert will compare subjects, issuers, and signatures along 
the chain.

Example of use:

===
KMF_CERT_RESP_PAIR certchain[3];
...
certchain[0].cert = &cert_data1;
certchain[0].resp = &resp1;
certchain[1].cert = &cert_data2;
certchain[1].resp = NULL;  /* KMF will fetch OCSP for this one */
certchain[2].cert = &ta_cert;
certchain[2].resp = NULL;  /* KMF will fetch OCSP for this one */
len = 3;

kmf_set_attr_at_index(attrlist, numattr++, KMF_CERT_RESP_LIST_ATTR, 
certchain, sizeof (certchain));
kmf_set_attr_at_index(attrlist, numattr++, KMF_CERT_RESP_LIST_LEN_ATTR, 
&len, sizeof (len));
...

rv = kmf_validate_cert(handle, numattr, attrlist);
===


Will this work for SSH and PKINIT needs?

-Wyllys