PKIF for Mac Publisher's description
from PKIF Team
A cross-platform library for performing PKIX-compliant certificate processing
The PKI Framework (PKIF) includes support for OCSP, CMS and Timestamps.
PKIF uses CAPI, NSS or Crypto++ for cryptographic services and hardware support.
Here are some key features of "PKIF":
В· Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
В· RFC 5280-compliant path validation.
В· Supports RFC 3852 (Cryptographic Message Syntax).
В· Supports RFC 3161 (Timestamp protocol).
В· New Supports RFC 5055 (SCVP) and RFC 4998 (ERS) along with RFC 5276 (SCVP/ERS wantBacks)
В· wxWidgets-based cross-platform GUI controls.
В· Enabling applications is simple.
В· Multiple certificate sources are supported, including LDAP-accessible directories, web servers, CAPI certificate stores, NSS certificate stores and other application-specified sources.
В· Can retrieve revocation information from local stores, application-specified sources (such as an LDAP directory) and follow CRL distribution points.
В· Can use OCSP responders specified in AIA extensions.
В· One or more trusted OCSP responder(s) may be configured for path validation.
В· Configurable to make the most of your infrastructure.
В· Configurations can be created centrally and pushed out using your existing management tools.
What's New in This Release:В· Interface changes
В· Added value() to all extension classes. Added an Encode() method CPKIFX509Extension which calls value(). value() is capable of encoding new extensions instances (vs. decoding existing instances only) for the extensions required by forthcoming PKIFTAM library (as described below). (change 9958)
В· Added set methods and Encode functionality to CPKIFPolicyConstraints class if extension value is not set or if it was changed. (change 9959)
В· Added set methods and Encode functionality to CPKIFPolicyInformationSet class if extension value is not set or if it was changed. (change 9966)
В· Added set methods and Encode functionality to CPKIFNameConstraints class if extension value is not set or if it was changed. (change 9968)
В· Added set methods and Encode functionality to CPKIFInhibitAnyPolicy class if extension value is not set or if it was changed. (change 9968)
В· Removed pure-virtual declaration from destructor in IPKIFPasswordCallback. (change 9989)
В· Added set methods and Encode functionality to SKID class if extension value is not set or if it was changed. (change 10120)
В· IntersectSets() and IntersectSubtrees() functions are now exported. (change 10000)
В· Declared GetCredential exported (change 10056)
В· Changed the default value of a parameter to GetSignerInfo in PrivatePKIFCMSUtils.h. The previous default was causing SKIDs to not be used where they should have been when generating SignerInfo objects. (change 10065)
В· Added novtable to CPKIFContentType. (change 10065)
В· Added operator== to CPKIFSubjectPublicKeyInfo class. Declared rawKey and numBits functions as const. (change 10085)
В· Additional additional functions to CPKIFPathValidationResults to allow reading of final state information possible. (change 10087)
В· Added IPKIFHasExtensions interface to CACTrustRoot (change 10093)
В· Added flag to allow applications to avoid enforcing key usage when generating SignedData messages (defaults to true, requiring enforcement) and verifying SignedData messages (changes 10096 and 10097)
В· Added smart pointer declaration for IPKIFHasExtensions interface. (change 10121)
В· Changed PKIFResources IDs to be other than the default range to decrease likelihood of conflict with other wx applications. (change 10159)
В· Added means of enforcing RFC5280-related constraints to path validation colleague. by default, this feature is off. (change 10122)
В· Added Encoded function to abstract IPKIFTrustAnchor class (change 10174)
В· Introduce operator string conversion code. (change 10258)
В· Export the extract certificate info dialog from resources. (change 10521)
В· Made Linux GetTickCount return unsigned long to be consistent with Windows GetTickCount. (change 10536)
В· Export NSS helper class. (change 10664)
В· Added a way to specify OCSP responder based on issuer name. (changes 10803, 10808, 10809)
В· Edits to PKIF registry config class to govern how failover to HKLM works (changes 10810, 10817)
В· Added flag to allow any policy to be used or not used when retrieving initial policy set. default behavior is as before (i.e., it is used) (change 10848)
В· Other significant changes
В· When retrieving certificates from an AIA, source was not being set to REMOTE. This causes the retrieved certificates to not be added to the in-memory store and CAPI/NSS stores. (change 9956)
В· Fixed a bug in the operator== implementation for CPKIFCertificate which was not dereferencing smart pointers to buffers. (change 9960)
В· Renamed buildlog files to silence warnings when building on multi-processor machines (change 9962)
В· Added check for NULL TA subject name to SimpleRootStore. As non-certificate TA support is added a name is not reliably present. (change 10067)
В· Path validator was not setting TA on results object when target is a TA. (change 10098)
В· Fixed the logger because it was erroneously reporting that no path had been constructed when a non-certificate TA was used (change 10115)
В· Updated OCSP checker to allow for usage of non-certificate TAs. (change 10117)
В· Fixed indefinite length octet string decoding bug. (change 10118)
В· The CExtractInfoFromCertDialog had been obtaining RDNs by splitting string representations of DNs at each comma. This doesn't work. Changed to use the CPKIFName::GetRDNs function. (change 10167)
В· Changed CPKIFNameConstraintsEntryDlg to disallow manual entry of DNs. (change 10169)
В· Initialized member variables in default constructor. (change 10209)
В· Changed the path settings notebook so it will now return a path settings object with no certificate policies if the user empties the list box. previously, it returned a list with anyPolicy. (change 10212)
В· Changed the regular expression that determines if a string is an email address (if was failing to detect some email addresses, including those with a in the domain name). (change 10220)
В· Added trust list sort class. It will put TAs with matching SKIDs to the front of the list in the path builder. (change 10240)
В· Added a loop so now when validating OCSP responder certificate more then one path can be tried. (change 10240)
В· Fixes bug that resulted in SCVP namespaces not being serialized (change 10263)
В· Added a namespace check to the beginning to the build/validate functions in the SCVP client. (change 10264)
В· Various fixes to the path builder it was not consulting remote sources in some cases. (changes 10265, 10266, 10278, 10283, 10284)
В· Moved local build and validate to appear after SCVP in the serializer. (change 10289)
В· Added a check that would remove EE cert from the table if it failed with PATH_VALIDITY_PERIOD_VIOLATION_NOT_YET_VALID and PATH_VALIDITY_PERIOD_VIOLATION_EXPIRED errors codes on the previous attempt. (change 10319)
В· Fixed bug in cache mediator that was causing remote CRLs to be retrieved when LOCAL sources were consulted. (change 10369)
В· Fixed some delay loading issues related to wantBack OIDs in resources and configuration serialization libraries. (10411)
В· Added code to check namespaces for each certificate in a path when CheckStatusPath is invoked. Previously, this call would only check the namespace of the target certificate. Thus, some unintended OCSP requests were generated. (change 10577)
В· Change builder to exhaust local options before considering remote resources. (changes 10582, 10583, 10589)
В· Various changes related to reducing the number of duplicate paths that may be returned during iterative building. (change 10589, 10598, 10608, 10609, 10611)
В· Fixed bug in scoring class to eliminate duplication of some certificates. (change 10589)
В· Added HTTP blacklist support to the serializer. (change 10593)
В· Fixed a few places where SetSource was called with ALL instead of REMOTE or LOCAL. This was causing some paths to be returned more than once by the builder during iterative building. (change 10596)
В· Added try/catch around all calls to GetExtension in the certificate scoring function. we'll still fail to validate paths with busted extensions but the builder will work. (change 10602)
В· Add calling application to audit output on Windows. (change 10620)
В· Converted PKIFErrorLookup to use WX and run on Linux (change 10626 and 10628)
В· Added a check to disable NSS options in pkif resources UI if NSS is not available. (change 10665)
В· Relaxed the builder filter to allow any critical extension to pass. the validator will now have to handle this. we were seeing problems when paths had unrecognized critical extensions because the filter does not use the additional checks specified by the caller (and cannot because there is currently no means of extracting them) (change 10669)
В· Fixed bug in PEMDecode that was requiring NULL termination where NULL termination was not guaranteed. (change 10735)
В· Various memory leak fixes (changes 10707, 10708, 10718, 10719, 10736, 10752)
В· Fixed memory leak in PKIFCryptoPPRaw (change 10789)
System Requirements:No special requirements.
Program Release Status:
Program Install Support: Install anh Uninstall