ISCCertificateStoreExtension

Last updated on: 5/15/2013 4:56 PM 
Created on: 11/2/2016 2:22 PM 

The core technology behind the security offered in SC-7 is the well proven Public Key Infrastructure (PKI). The technology that makes all the aspects of PKI functional is the concept of X.509 Public Key certificates. Certificates contain a vast amount of information about how the contained key can be used and much of this information isn't required by the end user. The framework understands these usage fields and extension attributes and presents the appropriate certificates based on the action in operation. Certificates also contain identification information and the framework automatically presents this information similar to an address book for e-mail or social media applications. The challenge is that certificates can come from a number of valid sources, usually at the same time, so the framework needs the ability to communicate with vastly different certificate repositories.

To solve this problem the framework implements a certificate manager. This manager class is responsible for coordinating access between one or more certificate repositories that implement the ISCCertificateStoreExtension() interface. This interface provides the common way for the framework's certificate manager to manipulate certificate stores. There are a total of 13 interface methods that need to be implemented and only one pure virtual, GetName() which must return the name of the certificate repository. Along with GetName() is GetImage() which can return a custom resource identifier to the image to associate with this repository. The framework may also make use of this implementation's object description which is set by assigning the description in the constructor to the m_strObjectDesc member.

The GetCertStoreOptions() method must return a mask of one or more certificate store options flags or CSOF_NONE if there are no extended options suporrted by this certificate store. The remaining flag options are as follows:

All certificates must be considered stored in a group and therefore the certificate repository access class must implement the EnumGroup() method. This method takes the zero-based index of the group to enumerate and returns the group name along with any of the above listed flags indicating if the group serves a special purpose. The framework may also at times look for groups that serve a specific purpose thus the GetGroupByType() method must also be implemented. If the certificate store allows for user created groups then three additional methods must be implemented: CreateGroup(), RenameGroup(), DeleteGroup().

All certificates within the group must be enumerated by implementing the EnumCertificate() method. This method must return a certificate enumeration handle which is then used by all the remaining certificate access methods(). Like wise, two AddCertificate() methods, one that accepts a private key and one that does not, must also return one of these handles. The handles will be freed by the certificate manager through the interface's ReleaseHandle() method. Implement the GetCertificateFromHandle() method to provide back the certificate represented by the enumeration handle and an optional private component. Implement the DeleteCertificate() method to remove the certificate represented by the enumeration handle from the repository. The DeleteCertificate() method contain an additional parameter, bForce, to indicate if the certificate should be deleted by user request, regardless of importance.