PKIF A cross-platform library for performing PKIX-compliant certificate processing
Download

PKIF Ranking & Summary

PKIF Tags

perform perform certificate processing certification path building certificate processing certification path

PKIF Description

A cross-platform library for performing PKIX-compliant certificate processing The PKI Framework (PKIF) includes support for OCSP, CMS and Timestamps.PKIF uses CAPI, NSS or Crypto++ for cryptographic services and hardware support. Here are some key features of "PKIF": · Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments. · RFC 5280-compliant path validation. · Supports RFC 3852 (Cryptographic Message Syntax). · Supports RFC 3161 (Timestamp protocol). · New Supports RFC 5055 (SCVP) and RFC 4998 (ERS) along with RFC 5276 (SCVP/ERS wantBacks) · wxWidgets-based cross-platform GUI controls. · Enabling applications is simple. · Multiple certificate sources are supported, including LDAP-accessible directories, web servers, CAPI certificate stores, NSS certificate stores and other application-specified sources. · Can retrieve revocation information from local stores, application-specified sources (such as an LDAP directory) and follow CRL distribution points. · Can use OCSP responders specified in AIA extensions. · One or more trusted OCSP responder(s) may be configured for path validation. · Configurable to make the most of your infrastructure. · Configurations can be created centrally and pushed out using your existing management tools. What's New in This Release: · Fixed bug in the implementation of noCheck extension. Previously, the status of CA certificates in the path to an OCSP responder certificate would be accepted even if revocation status had not been determined (i.e., revoked CAs would be rejected only if revocation status information is accessble). · Added XML samples. · Added initial release of PKIFERS library. · Added initial release of PKIFSCVP library. · Enabled usage of native NSS on Red Hat. No longer use private NSS interfaces for AES key wrap support. · Dropped VMAC from cryptopp distributed with PKIF due to problems when built on SELinux and fac that it was not used. · Various improvements to build system for recent Linux distributions. · Added EC support using NSS. Previously only CryptoPP colleagues supported EC. · Corrected handling of wxstring objects and string literals in PKIFResources to better support unicode builds. · Added support for initial name constraints input to path validation. · Changed simple cert store and CAPI cert store colleagues to return list of all certificates in store when presented a NULL subDN parameter. · Fixed bug in path builder to correct misbehavior in builder statistics. total paths discovered now equals paths rejected due to validation errors + returned paths. Previously, total paths also included paths that were rejected as having a cycle; such paths are no longer counted in the builder statistics. · Fixed a bug in PKIFResources to ensure CAPI trust anchor CRL repository objects are included in the mediator set when the HKLM trust store option is checked. · Turned on CURL option to chase HTTP referrals in PostRequestURL function. · - Generate a manifest describing the contents written during a path dump operation. · - MOdified path builder to use AIA/SIA retrieval colleague instead of directly invoking functions to retrieve certificates from certificate-based pointers. This allows URI chasing to be omitted by leaving the AIA/SIA SR colleague out of the mediator/colleague set. · - Added SIA/AIA retrieval colleague to the mediator set composed by MakeDefaultMediator (for both NSS and non-NSS). Added CRL DP colleague to NSS MakeDefaultMediator (it was already in non-NSS). · - Added blacklist details to path log output · - Added trust anchor details to path log output · - Completed integration of synonymous source store colleague, with various fixes applied to SR and PATH components. This reduces network access when retrieving materials from certificate-based URIs. · - Added appInfo parameter to DumpResults and DumpPath to allow caller to customize the output. · - Fixed uninitialized variable in CPKIFCertificateNodeEntry. · - Made changes to CAPI code that uses temporary key store during symmetric encryption operations. Administratively changed Windows passwords had been causing problems previously. · - Modified CAPIRaw colleague to handle input that is not a multiple of the blocksize in size. · - Fixed bug in name constraints processing that was resulting in paths that included name constraints plus an end entity certificate with a UPN being rejected. · - Added revocation status cache to revocation status mediator. · - Added validated OCSP responder cache. · - Eliminated Pragma: no-cache from PostRequestURL to enable use of HTTP proxy. · - Made stricmp and strcasecmp usage consistent throughout library. · - Added source information to path log output for certificates.

PKIF Related Software