tor-browser

pkix_tools.c (51404B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_tools.c
*
* Private Utility Functions
*
*/

#include "pkix_tools.h"

#define CACHE_ITEM_PERIOD_SECONDS  (3600)  /* one hour */

/*
* This cahce period is only for CertCache. A Cert from a trusted CertStore
* should be checked more frequently for update new arrival, etc.
*/
#define CACHE_TRUST_ITEM_PERIOD_SECONDS  (CACHE_ITEM_PERIOD_SECONDS/10)

extern PKIX_PL_HashTable *cachedCertChainTable;
extern PKIX_PL_HashTable *cachedCertTable;
extern PKIX_PL_HashTable *cachedCrlEntryTable;

/* Following variables are used to checked cache hits - can be taken out */
extern int pkix_ccAddCount;
extern int pkix_ccLookupCount;
extern int pkix_ccRemoveCount;
extern int pkix_cAddCount;
extern int pkix_cLookupCount;
extern int pkix_cRemoveCount;
extern int pkix_ceAddCount;
extern int pkix_ceLookupCount;

#ifdef PKIX_OBJECT_LEAK_TEST
/* Following variables are used for object leak test */
char *nonNullValue = "Non Empty Value";
PKIX_Boolean noErrorState = PKIX_TRUE;
PKIX_Boolean runningLeakTest;
PKIX_Boolean errorGenerated;
PKIX_UInt32 stackPosition;
PKIX_UInt32 *fnStackInvCountArr;
char **fnStackNameArr;
PLHashTable *fnInvTable;
PKIX_UInt32 testStartFnStackPosition;
char *errorFnStackString;
#endif /* PKIX_OBJECT_LEAK_TEST */

/* --Private-Functions-------------------------------------------- */

#ifdef PKIX_OBJECT_LEAK_TEST
/*
* FUNCTION: pkix_ErrorGen_Hash
* DESCRIPTION:
*
* Hash function to be used in object leak test hash table.
*
*/
PLHashNumber PR_CALLBACK
pkix_ErrorGen_Hash (const void *key)
{
   char *str = NULL;
   PLHashNumber rv = (*(PRUint8*)key) << 5;
   PRUint32 i, counter = 0;
   PRUint8 *rvc = (PRUint8 *)&rv;

   while ((str = fnStackNameArr[counter++]) != NULL) {
       PRUint32 len = strlen(str);
       for( i = 0; i < len; i++ ) {
           rvc[ i % sizeof(rv) ] ^= *str;
           str++;
       }
   }

   return rv;
}

#endif /* PKIX_OBJECT_LEAK_TEST */

/*
* FUNCTION: pkix_IsCertSelfIssued
* DESCRIPTION:
*
*  Checks whether the Cert pointed to by "cert" is self-issued and stores the
*  Boolean result at "pSelfIssued". A Cert is considered self-issued if the
*  Cert's issuer matches the Cert's subject. If the subject or issuer is
*  not specified, a PKIX_FALSE is returned.
*
* PARAMETERS:
*  "cert"
*      Address of Cert used to determine whether Cert is self-issued.
*      Must be non-NULL.
*  "pSelfIssued"
*      Address where Boolean will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Cert Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_IsCertSelfIssued(
       PKIX_PL_Cert *cert,
       PKIX_Boolean *pSelfIssued,
       void *plContext)
{
       PKIX_PL_X500Name *subject = NULL;
       PKIX_PL_X500Name *issuer = NULL;

       PKIX_ENTER(CERT, "pkix_IsCertSelfIssued");
       PKIX_NULLCHECK_TWO(cert, pSelfIssued);

       PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &subject, plContext),
                   PKIX_CERTGETSUBJECTFAILED);

       PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &issuer, plContext),
                   PKIX_CERTGETISSUERFAILED);

       if (subject == NULL || issuer == NULL) {
               *pSelfIssued = PKIX_FALSE;
       } else {

               PKIX_CHECK(PKIX_PL_X500Name_Match
                   (subject, issuer, pSelfIssued, plContext),
                   PKIX_X500NAMEMATCHFAILED);
       }

cleanup:
       PKIX_DECREF(subject);
       PKIX_DECREF(issuer);

       PKIX_RETURN(CERT);
}

/*
* FUNCTION: pkix_Throw
* DESCRIPTION:
*
*  Creates an Error using the value of "errorCode", the character array
*  pointed to by "funcName", the character array pointed to by "errorText",
*  and the Error pointed to by "cause" (if any), and stores it at "pError".
*
*  If "cause" is not NULL and has an errorCode of "PKIX_FATAL_ERROR",
*  then there is no point creating a new Error object. Rather, we simply
*  store "cause" at "pError".
*
* PARAMETERS:
*  "errorCode"
*      Value of error code.
*  "funcName"
*      Address of EscASCII array representing name of function throwing error.
*      Must be non-NULL.
*  "errnum"
*      PKIX_ERRMSGNUM of error description for new error.
*  "cause"
*      Address of Error representing error's cause.
*  "pError"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_Throw(
       PKIX_ERRORCLASS errorClass,
       const char *funcName,
       PKIX_ERRORCODE errorCode,
       PKIX_ERRORCLASS overrideClass,
       PKIX_Error *cause,
       PKIX_Error **pError,
       void *plContext)
{
       PKIX_Error *error = NULL;

       PKIX_ENTER(ERROR, "pkix_Throw");
       PKIX_NULLCHECK_TWO(funcName, pError);

       *pError = NULL;

#ifdef PKIX_OBJECT_LEAK_TEST        
       noErrorState = PKIX_TRUE;
       if (pkixLog) {
#ifdef PKIX_ERROR_DESCRIPTION            
           PR_LOG(pkixLog, 4, ("Error in function \"%s\":\"%s\" with cause \"%s\"\n",
                               funcName, PKIX_ErrorText[errorCode],
                               (cause ? PKIX_ErrorText[cause->errCode] : "null")));
#else
           PR_LOG(pkixLog, 4, ("Error in function \"%s\": error code \"%d\"\n",
                               funcName, errorCode));
#endif /* PKIX_ERROR_DESCRIPTION */
           PORT_Assert(strcmp(funcName, "PKIX_PL_Object_DecRef"));
       }
#endif /* PKIX_OBJECT_LEAK_TEST */

       /* if cause has error class of PKIX_FATAL_ERROR, return immediately */
       if (cause) {
               if (cause->errClass == PKIX_FATAL_ERROR){
                       PKIX_INCREF(cause);
                       *pError = cause;
                       goto cleanup;
               }
       }
       
       if (overrideClass == PKIX_FATAL_ERROR){
               errorClass = overrideClass;
       }

      pkixTempResult = PKIX_Error_Create(errorClass, cause, NULL,
                                          errorCode, &error, plContext);
      
      if (!pkixTempResult) {
          /* Setting plErr error code:
           *    get it from PORT_GetError if it is a leaf error and
           *    default error code does not exist(eq 0)               */
          if (!cause && !error->plErr) {
              error->plErr = PKIX_PL_GetPLErrorCode();
          }
      }

      *pError = error;

cleanup:

       PKIX_DEBUG_EXIT(ERROR);
       pkixErrorClass = 0;
#ifdef PKIX_OBJECT_LEAK_TEST        
       noErrorState = PKIX_FALSE;

       if (runningLeakTest && fnStackNameArr) {
           PR_LOG(pkixLog, 5,
                  ("%s%*s<- %s(%d) - %s\n", (errorGenerated ? "*" : " "),
                   stackPosition, " ", fnStackNameArr[stackPosition],
                   stackPosition, myFuncName));
           fnStackNameArr[stackPosition--] = NULL;
       }
#endif /* PKIX_OBJECT_LEAK_TEST */
       return (pkixTempResult);
}

/*
* FUNCTION: pkix_CheckTypes
* DESCRIPTION:
*
*  Checks that the types of the Object pointed to by "first" and the Object
*  pointed to by "second" are both equal to the value of "type". If they
*  are not equal, a PKIX_Error is returned.
*
* PARAMETERS:
*  "first"
*      Address of first Object. Must be non-NULL.
*  "second"
*      Address of second Object. Must be non-NULL.
*  "type"
*      Value of type to check against.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CheckTypes(
       PKIX_PL_Object *first,
       PKIX_PL_Object *second,
       PKIX_UInt32 type,
       void *plContext)
{
       PKIX_UInt32 firstType, secondType;

       PKIX_ENTER(OBJECT, "pkix_CheckTypes");
       PKIX_NULLCHECK_TWO(first, second);

       PKIX_CHECK(PKIX_PL_Object_GetType(first, &firstType, plContext),
                   PKIX_COULDNOTGETFIRSTOBJECTTYPE);

       PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
                   PKIX_COULDNOTGETSECONDOBJECTTYPE);

       if ((firstType != type)||(firstType != secondType)) {
               PKIX_ERROR(PKIX_OBJECTTYPESDONOTMATCH);
       }

cleanup:

       PKIX_RETURN(OBJECT);
}

/*
* FUNCTION: pkix_CheckType
* DESCRIPTION:
*
*  Checks that the type of the Object pointed to by "object" is equal to the
*  value of "type". If it is not equal, a PKIX_Error is returned.
*
* PARAMETERS:
*  "object"
*      Address of Object. Must be non-NULL.
*  "type"
*      Value of type to check against.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CheckType(
       PKIX_PL_Object *object,
       PKIX_UInt32 type,
       void *plContext)
{
       return (pkix_CheckTypes(object, object, type, plContext));
}

/*
* FUNCTION: pkix_hash
* DESCRIPTION:
*
*  Computes a hash value for "length" bytes starting at the array of bytes
*  pointed to by "bytes" and stores the result at "pHash".
*
*  XXX To speed this up, we could probably read 32 bits at a time from
*  bytes (maybe even 64 bits on some platforms)
*
* PARAMETERS:
*  "bytes"
*      Address of array of bytes to hash. Must be non-NULL.
*  "length"
*      Number of bytes to hash.
*  "pHash"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_hash(
       const unsigned char *bytes,
       PKIX_UInt32 length,
       PKIX_UInt32 *pHash,
       void *plContext)
{
       PKIX_UInt32 i;
       PKIX_UInt32 hash;

       PKIX_ENTER(OBJECT, "pkix_hash");
       if (length != 0) {
               PKIX_NULLCHECK_ONE(bytes);
       }
       PKIX_NULLCHECK_ONE(pHash);

       hash = 0;
       for (i = 0; i < length; i++) {
               /* hash = 31 * hash + bytes[i]; */
               hash = (hash << 5) - hash + bytes[i];
       }

       *pHash = hash;

       PKIX_RETURN(OBJECT);
}

/*
* FUNCTION: pkix_countArray
* DESCRIPTION:
*
*  Counts the number of elements in the  null-terminated array of pointers
*  pointed to by "array" and returns the result.
*
* PARAMETERS
*  "array"
*      Address of null-terminated array of pointers.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns the number of elements in the array.
*/
PKIX_UInt32
pkix_countArray(void **array)
{
       PKIX_UInt32 count = 0;

       if (array) {
               while (*array++) {
                       count++;
               }
       }
       return (count);
}

/*
* FUNCTION: pkix_duplicateImmutable
* DESCRIPTION:
*
*  Convenience callback function used for duplicating immutable objects.
*  Since the objects can not be modified, this function simply increments the
*  reference count on the object, and returns a reference to that object.
*
*  (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
*/
PKIX_Error *
pkix_duplicateImmutable(
       PKIX_PL_Object *object,
       PKIX_PL_Object **pNewObject,
       void *plContext)
{
       PKIX_ENTER(OBJECT, "pkix_duplicateImmutable");
       PKIX_NULLCHECK_TWO(object, pNewObject);

       PKIX_INCREF(object);

       *pNewObject = object;

cleanup:
       PKIX_RETURN(OBJECT);
}

/* --String-Encoding-Conversion-Functions------------------------ */

/*
* FUNCTION: pkix_hex2i
* DESCRIPTION:
*
*  Converts hexadecimal character "c" to its integer value and returns result.
*
* PARAMETERS
*  "c"
*      Character to convert to a hex value.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  The hexadecimal value of "c". Otherwise -1. (Unsigned 0xFFFFFFFF).
*/
PKIX_UInt32
pkix_hex2i(char c)
{
       if ((c >= '0')&&(c <= '9'))
               return (c-'0');
       else if ((c >= 'a')&&(c <= 'f'))
               return (c-'a'+10);
       else if ((c >= 'A')&&(c <= 'F'))
               return (c-'A'+10);
       else
               return ((PKIX_UInt32)(-1));
}

/*
* FUNCTION: pkix_i2hex
* DESCRIPTION:
*
*  Converts integer value "digit" to its ASCII hex value
*
* PARAMETERS
*  "digit"
*      Value of integer to convert to ASCII hex value. Must be 0-15.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  The ASCII hexadecimal value of "digit".
*/
char
pkix_i2hex(char digit)
{
       if ((digit >= 0)&&(digit <= 9))
               return (digit+'0');
       else if ((digit >= 0xa)&&(digit <= 0xf))
               return (digit - 10 + 'a');
       else
               return (-1);
}

/*
* FUNCTION: pkix_isPlaintext
* DESCRIPTION:
*
*  Returns whether character "c" is plaintext using EscASCII or EscASCII_Debug
*  depending on the value of "debug".
*
*  In EscASCII, [01, 7E] except '&' are plaintext.
*  In EscASCII_Debug [20, 7E] except '&' are plaintext.
*
* PARAMETERS:
*  "c"
*      Character to check.
*  "debug"
*      Value of debug flag.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  True if "c" is plaintext.
*/
PKIX_Boolean
pkix_isPlaintext(unsigned char c, PKIX_Boolean debug) {
       return ((c >= 0x01)&&(c <= 0x7E)&&(c != '&')&&(!debug || (c >= 20)));
}

/* --Cache-Functions------------------------ */

/*
* FUNCTION: pkix_CacheCertChain_Lookup
* DESCRIPTION:
*
*  Look up CertChain Hash Table for a cached BuildResult based on "targetCert"
*  and "anchors" as the hash keys. If there is no item to match the key,
*  PKIX_FALSE is stored at "pFound". If an item is found, its cache time is
*  compared to "testDate". If expired, the item is removed and PKIX_FALSE is
*  stored at "pFound". Otherwise, PKIX_TRUE is stored at "pFound" and the 
*  BuildResult is stored at "pBuildResult".
*  The hashtable is maintained in the following ways:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*  2) A PKIX_PL_Date created with current time offset by constant 
*     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
*     When an item is retrieved, this date is compared against "testDate" for
*     validity. If comparison indicates this item is expired, the item is
*     removed from the bucket.
*
* PARAMETERS:
*  "targetCert"
*      Address of Target Cert as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "anchors"
*      Address of PKIX_List of "anchors" is used as key to retrive CertChain.
*      Must be non-NULL.
*  "testDate"
*      Address of PKIX_PL_Date for verifying time validity and cache validity.
*      May be NULL. If testDate is NULL, this cache item will not be out-dated.
*  "pFound"
*      Address of PKIX_Boolean indicating valid data is found.
*      Must be non-NULL.
*  "pBuildResult"
*      Address where BuildResult will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCertChain_Lookup(
       PKIX_PL_Cert* targetCert,
       PKIX_List* anchors,
       PKIX_PL_Date *testDate,
       PKIX_Boolean *pFound,
       PKIX_BuildResult **pBuildResult,
       void *plContext)
{
       PKIX_List *cachedValues = NULL;
       PKIX_List *cachedKeys = NULL;
       PKIX_Error *cachedCertChainError = NULL;
       PKIX_PL_Date *cacheValidUntilDate = NULL;
       PKIX_PL_Date *validityDate = NULL;
       PKIX_Int32 cmpValidTimeResult = 0;
       PKIX_Int32 cmpCacheTimeResult = 0;

       PKIX_ENTER(BUILD, "pkix_CacheCertChain_Lookup");

       PKIX_NULLCHECK_FOUR(targetCert, anchors, pFound, pBuildResult);

       *pFound = PKIX_FALSE;

       /* use trust anchors and target cert as hash key */

       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
                   PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys,
                   (PKIX_PL_Object *)targetCert,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys,
                   (PKIX_PL_Object *)anchors,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       cachedCertChainError = PKIX_PL_HashTable_Lookup
                   (cachedCertChainTable,
                   (PKIX_PL_Object *) cachedKeys,
                   (PKIX_PL_Object **) &cachedValues,
                   plContext);

       pkix_ccLookupCount++;

       /* retrieve data from hashed value list */

       if (cachedValues != NULL && cachedCertChainError == NULL) {

           PKIX_CHECK(PKIX_List_GetItem
                   (cachedValues,
                   0,
                   (PKIX_PL_Object **) &cacheValidUntilDate,
                   plContext),
                   PKIX_LISTGETITEMFAILED);

           /* check validity time and cache age time */
           PKIX_CHECK(PKIX_List_GetItem
                   (cachedValues,
                   1,
                   (PKIX_PL_Object **) &validityDate,
                   plContext),
                   PKIX_LISTGETITEMFAILED);

           /* if testDate is not set, this cache item is not out-dated */
           if (testDate) {

               PKIX_CHECK(PKIX_PL_Object_Compare
                    ((PKIX_PL_Object *)testDate,
                    (PKIX_PL_Object *)cacheValidUntilDate,
                    &cmpCacheTimeResult,
                    plContext),
                    PKIX_OBJECTCOMPARATORFAILED);

               PKIX_CHECK(PKIX_PL_Object_Compare
                    ((PKIX_PL_Object *)testDate,
                    (PKIX_PL_Object *)validityDate,
                    &cmpValidTimeResult,
                    plContext),
                    PKIX_OBJECTCOMPARATORFAILED);
           }

           /* certs' date are all valid and cache item is not old */
           if (cmpValidTimeResult <= 0 && cmpCacheTimeResult <=0) {

               PKIX_CHECK(PKIX_List_GetItem
                   (cachedValues,
                   2,
                   (PKIX_PL_Object **) pBuildResult,
                   plContext),
                   PKIX_LISTGETITEMFAILED);

               *pFound = PKIX_TRUE;

           } else {

               pkix_ccRemoveCount++;
               *pFound = PKIX_FALSE;

               /* out-dated item, remove it from cache */
               PKIX_CHECK(PKIX_PL_HashTable_Remove
                   (cachedCertChainTable,
                   (PKIX_PL_Object *) cachedKeys,
                   plContext),
                   PKIX_HASHTABLEREMOVEFAILED);
           }
       }

cleanup:

       PKIX_DECREF(cachedValues);
       PKIX_DECREF(cachedKeys);
       PKIX_DECREF(cachedCertChainError);
       PKIX_DECREF(cacheValidUntilDate);
       PKIX_DECREF(validityDate);

       PKIX_RETURN(BUILD);

}

/*
* FUNCTION: pkix_CacheCertChain_Remove
* DESCRIPTION:
*
*  Remove CertChain Hash Table entry based on "targetCert" and "anchors"
*  as the hash keys. If there is no item to match the key, no action is
*  taken.
*  The hashtable is maintained in the following ways:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*  2) A PKIX_PL_Date created with current time offset by constant 
*     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
*     When an item is retrieved, this date is compared against "testDate" for
*     validity. If comparison indicates this item is expired, the item is
*     removed from the bucket.
*
* PARAMETERS:
*  "targetCert"
*      Address of Target Cert as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "anchors"
*      Address of PKIX_List of "anchors" is used as key to retrive CertChain.
*      Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCertChain_Remove(
       PKIX_PL_Cert* targetCert,
       PKIX_List* anchors,
       void *plContext)
{
       PKIX_List *cachedKeys = NULL;

       PKIX_ENTER(BUILD, "pkix_CacheCertChain_Remove");
       PKIX_NULLCHECK_TWO(targetCert, anchors);

       /* use trust anchors and target cert as hash key */

       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
                   PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys,
                   (PKIX_PL_Object *)targetCert,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys,
                   (PKIX_PL_Object *)anchors,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK_ONLY_FATAL(PKIX_PL_HashTable_Remove
                   (cachedCertChainTable,
                   (PKIX_PL_Object *) cachedKeys,
                   plContext),
                   PKIX_HASHTABLEREMOVEFAILED);

       pkix_ccRemoveCount++;

cleanup:

       PKIX_DECREF(cachedKeys);

       PKIX_RETURN(BUILD);

}

/*
* FUNCTION: pkix_CacheCertChain_Add
* DESCRIPTION:
*
*  Add a BuildResult to the CertChain Hash Table for a "buildResult" with
*  "targetCert" and "anchors" as the hash keys.
*  "validityDate" is the most restricted notAfter date of all Certs in
*  this CertChain and is verified when this BuildChain is retrieved.
*  The hashtable is maintained in the following ways:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*  2) A PKIX_PL_Date created with current time offset by constant 
*     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
*     When an item is retrieved, this date is compared against "testDate" for
*     validity. If comparison indicates this item is expired, the item is
*     removed from the bucket.
*
* PARAMETERS:
*  "targetCert"
*      Address of Target Cert as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "anchors"
*      Address of PKIX_List of "anchors" is used as key to retrive CertChain.
*      Must be non-NULL.
*  "validityDate"
*      Address of PKIX_PL_Date contains the most restriced notAfter time of
*      all "certs". Must be non-NULL.
*      Address of PKIX_Boolean indicating valid data is found.
*      Must be non-NULL.
*  "buildResult"
*      Address of BuildResult to be cached. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCertChain_Add(
       PKIX_PL_Cert* targetCert,
       PKIX_List* anchors,
       PKIX_PL_Date *validityDate,
       PKIX_BuildResult *buildResult,
       void *plContext)
{
       PKIX_List *cachedValues = NULL;
       PKIX_List *cachedKeys = NULL;
       PKIX_Error *cachedCertChainError = NULL;
       PKIX_PL_Date *cacheValidUntilDate = NULL;

       PKIX_ENTER(BUILD, "pkix_CacheCertChain_Add");

       PKIX_NULLCHECK_FOUR(targetCert, anchors, validityDate, buildResult);

       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
               PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedKeys, (PKIX_PL_Object *)targetCert, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedKeys, (PKIX_PL_Object *)anchors, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_Create(&cachedValues, plContext),
               PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds
               (CACHE_ITEM_PERIOD_SECONDS,
               &cacheValidUntilDate,
               plContext),
              PKIX_DATECREATECURRENTOFFBYSECONDSFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedValues,
               (PKIX_PL_Object *)cacheValidUntilDate,
               plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedValues, (PKIX_PL_Object *)validityDate, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedValues, (PKIX_PL_Object *)buildResult, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       cachedCertChainError = PKIX_PL_HashTable_Add
               (cachedCertChainTable,
               (PKIX_PL_Object *) cachedKeys,
               (PKIX_PL_Object *) cachedValues,
               plContext);

       pkix_ccAddCount++;

       if (cachedCertChainError != NULL) {
               PKIX_DEBUG("PKIX_PL_HashTable_Add for CertChain skipped: "
                       "entry existed\n");
       }

cleanup:

       PKIX_DECREF(cachedValues);
       PKIX_DECREF(cachedKeys);
       PKIX_DECREF(cachedCertChainError);
       PKIX_DECREF(cacheValidUntilDate);

       PKIX_RETURN(BUILD);
}

/*
* FUNCTION: pkix_CacheCert_Lookup
* DESCRIPTION:
*
*  Look up Cert Hash Table for a cached item based on "store" and Subject in
*  "certSelParams" as the hash keys and returns values Certs in "pCerts".
*  If there isn't an item to match the key, a PKIX_FALSE is returned at
*  "pFound". The item's cache time is verified with "testDate". If out-dated,
*  this item is removed and PKIX_FALSE is returned at "pFound".
*  This hashtable is maintained in the following ways:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*  2) A PKIX_PL_Date created with current time offset by constant 
*     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
*     If the CertStore this Cert is from is a trusted one, the cache period is
*     shorter so cache can be updated more frequently.
*     When an item is retrieved, this date is compared against "testDate" for
*     validity. If comparison indicates this item is expired, the item is
*     removed from the bucket.
*
* PARAMETERS:
*  "store"
*      Address of CertStore as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "certSelParams"
*      Address of ComCertSelParams that its subject is used as key to retrieve
*      this CertChain. Must be non-NULL.
*  "testDate"
*      Address of PKIX_PL_Date for verifying time cache validity.
*      Must be non-NULL. If testDate is NULL, this cache item won't be out
*      dated.
*  "pFound"
*      Address of KPKIX_Boolean indicating valid data is found.
*      Must be non-NULL.
*  "pCerts"
*      Address PKIX_List where the CertChain will be stored. Must be no-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCert_Lookup(
       PKIX_CertStore *store,
       PKIX_ComCertSelParams *certSelParams,
       PKIX_PL_Date *testDate,
       PKIX_Boolean *pFound,
       PKIX_List** pCerts,
       void *plContext)
{
       PKIX_PL_Cert *cert = NULL;
       PKIX_List *cachedKeys = NULL;
       PKIX_List *cachedValues = NULL;
       PKIX_List *cachedCertList = NULL;
       PKIX_List *selCertList = NULL;
       PKIX_PL_X500Name *subject = NULL;
       PKIX_PL_Date *invalidAfterDate = NULL;
       PKIX_PL_Date *cacheValidUntilDate = NULL;
       PKIX_CertSelector *certSel = NULL;
       PKIX_Error *cachedCertError = NULL;
       PKIX_Error *selectorError = NULL;
       PKIX_CertSelector_MatchCallback selectorMatch = NULL;
       PKIX_Int32 cmpValidTimeResult = PKIX_FALSE;
       PKIX_Int32 cmpCacheTimeResult = 0;
       PKIX_UInt32 numItems = 0;
       PKIX_UInt32 i;

       PKIX_ENTER(BUILD, "pkix_CacheCert_Lookup");
       PKIX_NULLCHECK_TWO(store, certSelParams);
       PKIX_NULLCHECK_TWO(pFound, pCerts);

       *pFound = PKIX_FALSE;

       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
               PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedKeys, (PKIX_PL_Object *)store, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
               (certSelParams, &subject, plContext),
               PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);

       PKIX_NULLCHECK_ONE(subject);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedKeys, (PKIX_PL_Object *)subject, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       cachedCertError = PKIX_PL_HashTable_Lookup
                   (cachedCertTable,
                   (PKIX_PL_Object *) cachedKeys,
                   (PKIX_PL_Object **) &cachedValues,
                   plContext);
       pkix_cLookupCount++;

       if (cachedValues != NULL && cachedCertError == NULL) {

               PKIX_CHECK(PKIX_List_GetItem
                       (cachedValues,
                       0,
                       (PKIX_PL_Object **) &cacheValidUntilDate,
                       plContext),
                       PKIX_LISTGETITEMFAILED);

               if (testDate) {
                   PKIX_CHECK(PKIX_PL_Object_Compare
                        ((PKIX_PL_Object *)testDate,
                        (PKIX_PL_Object *)cacheValidUntilDate,
                        &cmpCacheTimeResult,
                        plContext),
                        PKIX_OBJECTCOMPARATORFAILED);
               }

               if (cmpCacheTimeResult <= 0) {

                   PKIX_CHECK(PKIX_List_GetItem
                       (cachedValues,
                       1,
                       (PKIX_PL_Object **) &cachedCertList,
                       plContext),
                       PKIX_LISTGETITEMFAILED);

                   /*
                    * Certs put on cache satifies only for Subject,
                    * user selector and ComCertSelParams to filter.
                    */
                   PKIX_CHECK(PKIX_CertSelector_Create
                         (NULL, NULL, &certSel, plContext),
                         PKIX_CERTSELECTORCREATEFAILED);

                   PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
                         (certSel, certSelParams, plContext),
                         PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);

                   PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
                         (certSel, &selectorMatch, plContext),
                         PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);

                   PKIX_CHECK(PKIX_List_Create(&selCertList, plContext),
                           PKIX_LISTCREATEFAILED);

                   /* 
                    * If any of the Cert on the list is out-dated, invalidate
                    * this cache item.
                    */
                   PKIX_CHECK(PKIX_List_GetLength
                       (cachedCertList, &numItems, plContext),
                       PKIX_LISTGETLENGTHFAILED);

                   for (i = 0; i < numItems; i++){

                       PKIX_CHECK(PKIX_List_GetItem
                           (cachedCertList,
                           i,
                           (PKIX_PL_Object **)&cert,
                           plContext),
                           PKIX_LISTGETITEMFAILED);

                       PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
                           (cert, &invalidAfterDate, plContext),
                           PKIX_CERTGETVALIDITYNOTAFTERFAILED);

                       if (testDate) {
                           PKIX_CHECK(PKIX_PL_Object_Compare
                               ((PKIX_PL_Object *)invalidAfterDate,
                               (PKIX_PL_Object *)testDate,
                               &cmpValidTimeResult,
                               plContext),
                               PKIX_OBJECTCOMPARATORFAILED);
                       }

                       if (cmpValidTimeResult < 0) {

                           pkix_cRemoveCount++;
                           *pFound = PKIX_FALSE;

                           /* one cert is out-dated, remove item from cache */
                           PKIX_CHECK(PKIX_PL_HashTable_Remove
                                   (cachedCertTable,
                                   (PKIX_PL_Object *) cachedKeys,
                                   plContext),
                                   PKIX_HASHTABLEREMOVEFAILED);
                           goto cleanup;
                       }

                       selectorError = selectorMatch(certSel, cert, plContext);
                       if (!selectorError){
                           /* put on the return list */
                           PKIX_CHECK(PKIX_List_AppendItem
                                  (selCertList,
                                  (PKIX_PL_Object *)cert,
                                  plContext),
                                 PKIX_LISTAPPENDITEMFAILED);
                          *pFound = PKIX_TRUE;
                       } else {
                           PKIX_DECREF(selectorError);
                       }

                       PKIX_DECREF(cert);
                       PKIX_DECREF(invalidAfterDate);

                   }

                   if (*pFound) {
                       PKIX_INCREF(selCertList);
                       *pCerts = selCertList;
                   }

               } else {

                   pkix_cRemoveCount++;
                   *pFound = PKIX_FALSE;
                   /* cache item is out-dated, remove it from cache */
                   PKIX_CHECK(PKIX_PL_HashTable_Remove
                               (cachedCertTable,
                               (PKIX_PL_Object *) cachedKeys,
                               plContext),
                               PKIX_HASHTABLEREMOVEFAILED);
               }

       } 

cleanup:

       PKIX_DECREF(subject);
       PKIX_DECREF(certSel);
       PKIX_DECREF(cachedKeys);
       PKIX_DECREF(cachedValues);
       PKIX_DECREF(cacheValidUntilDate);
       PKIX_DECREF(cert);
       PKIX_DECREF(cachedCertList);
       PKIX_DECREF(selCertList);
       PKIX_DECREF(invalidAfterDate);
       PKIX_DECREF(cachedCertError);
       PKIX_DECREF(selectorError);

       PKIX_RETURN(BUILD);
}

/*
* FUNCTION: pkix_CacheCert_Add
* DESCRIPTION:
*
*  Add Cert Hash Table for a cached item based on "store" and Subject in
*  "certSelParams" as the hash keys and have "certs" as the key value.
*  This hashtable is maintained in the following ways:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*  2) A PKIX_PL_Date created with current time offset by constant 
*     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
*     If the CertStore this Cert is from is a trusted one, the cache period is
*     shorter so cache can be updated more frequently.
*     When an item is retrieved, this date is compared against "testDate" for
*     validity. If comparison indicates this item is expired, the item is
*     removed from the bucket.
*
* PARAMETERS:
*  "store"
*      Address of CertStore as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "certSelParams"
*      Address of ComCertSelParams that its subject is used as key to retrieve
*      this CertChain. Must be non-NULL.
*  "certs"
*      Address PKIX_List of Certs will be stored. Must be no-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCert_Add(
       PKIX_CertStore *store,
       PKIX_ComCertSelParams *certSelParams,
       PKIX_List* certs,
       void *plContext)
{
       PKIX_List *cachedKeys = NULL;
       PKIX_List *cachedValues = NULL;
       PKIX_List *cachedCerts = NULL;
       PKIX_PL_Date *cacheValidUntilDate = NULL;
       PKIX_PL_X500Name *subject = NULL;
       PKIX_Error *cachedCertError = NULL;
       PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
       PKIX_UInt32 cachePeriod = CACHE_ITEM_PERIOD_SECONDS;
       PKIX_UInt32 numCerts = 0;

       PKIX_ENTER(BUILD, "pkix_CacheCert_Add");
       PKIX_NULLCHECK_THREE(store, certSelParams, certs);

       PKIX_CHECK(PKIX_List_GetLength(certs, &numCerts,
                                      plContext),
                  PKIX_LISTGETLENGTHFAILED);
       if (numCerts == 0) {
           /* Don't want to add an empty list. */
           goto cleanup;
       }

       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
               PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedKeys, (PKIX_PL_Object *)store, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
               (certSelParams, &subject, plContext),
               PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);

       PKIX_NULLCHECK_ONE(subject);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedKeys, (PKIX_PL_Object *)subject, plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_Create(&cachedValues, plContext),
               PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_CertStore_GetTrustCallback
               (store, &trustCallback, plContext),
               PKIX_CERTSTOREGETTRUSTCALLBACKFAILED);

       if (trustCallback) {
               cachePeriod = CACHE_TRUST_ITEM_PERIOD_SECONDS;
       }

       PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds
              (cachePeriod, &cacheValidUntilDate, plContext),
              PKIX_DATECREATECURRENTOFFBYSECONDSFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedValues,
               (PKIX_PL_Object *)cacheValidUntilDate,
               plContext),
               PKIX_LISTAPPENDITEMFAILED);

       PKIX_DUPLICATE(certs, &cachedCerts, plContext,
               PKIX_OBJECTDUPLICATELISTFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
               (cachedValues,
               (PKIX_PL_Object *)cachedCerts,
               plContext),
               PKIX_LISTAPPENDITEMFAILED);

       cachedCertError = PKIX_PL_HashTable_Add
                   (cachedCertTable,
                   (PKIX_PL_Object *) cachedKeys,
                   (PKIX_PL_Object *) cachedValues,
                   plContext);

       pkix_cAddCount++;

       if (cachedCertError != NULL) {
               PKIX_DEBUG("PKIX_PL_HashTable_Add for Certs skipped: "
                       "entry existed\n");
       }

cleanup:

       PKIX_DECREF(subject);
       PKIX_DECREF(cachedKeys);
       PKIX_DECREF(cachedValues);
       PKIX_DECREF(cachedCerts);
       PKIX_DECREF(cacheValidUntilDate);
       PKIX_DECREF(cachedCertError);

       PKIX_RETURN(BUILD);
}

/*
* FUNCTION: pkix_CacheCrlEntry_Lookup
* DESCRIPTION:
*
*  Look up CrlEntry Hash Table for a cached item based on "store",
*  "certIssuer" and "certSerialNumber" as the hash keys and returns values
*  "pCrls". If there isn't an item to match the key, a PKIX_FALSE is
*  returned at "pFound".
*  This hashtable is maintained in the following way:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*
* PARAMETERS:
*  "store"
*      Address of CertStore as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "certIssuer"
*      Address of X500Name that is used as key to retrieve the CRLEntries.
*      Must be non-NULL.
*  "certSerialNumber"
*      Address of BigInt that is used as key to retrieve the CRLEntries.
*      Must be non-NULL.
*  "pFound"
*      Address of KPKIX_Boolean indicating valid data is found.
*      Must be non-NULL.
*  "pCrls"
*      Address PKIX_List where the CRLEntry will be stored. Must be no-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCrlEntry_Lookup(
       PKIX_CertStore *store,
       PKIX_PL_X500Name *certIssuer,
       PKIX_PL_BigInt *certSerialNumber,
       PKIX_Boolean *pFound,
       PKIX_List** pCrls,
       void *plContext)
{
       PKIX_List *cachedKeys = NULL;
       PKIX_List *cachedCrlEntryList = NULL;
       PKIX_Error *cachedCrlEntryError = NULL;

       PKIX_ENTER(BUILD, "pkix_CacheCrlEntry_Lookup");
       PKIX_NULLCHECK_THREE(store, certIssuer, certSerialNumber);
       PKIX_NULLCHECK_TWO(pFound, pCrls);

       *pFound = PKIX_FALSE;

       /* Find CrlEntry(s) by issuer and serial number */
        
       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
                   PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys, (PKIX_PL_Object *)store, plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys, (PKIX_PL_Object *)certIssuer, plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys,
                   (PKIX_PL_Object *)certSerialNumber,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       cachedCrlEntryError = PKIX_PL_HashTable_Lookup
                   (cachedCrlEntryTable,
                   (PKIX_PL_Object *) cachedKeys,
                   (PKIX_PL_Object **) &cachedCrlEntryList,
                   plContext);
       pkix_ceLookupCount++;

       /* 
        * We don't need check Date to invalidate this cache item,
        * the item is uniquely defined and won't be reverted. Let
        * the FIFO for cleaning up.
        */

       if (cachedCrlEntryList != NULL && cachedCrlEntryError == NULL ) {

               PKIX_INCREF(cachedCrlEntryList);
               *pCrls = cachedCrlEntryList;

               *pFound = PKIX_TRUE;

       } else {

               *pFound = PKIX_FALSE;
       }

cleanup:

       PKIX_DECREF(cachedKeys);
       PKIX_DECREF(cachedCrlEntryList);
       PKIX_DECREF(cachedCrlEntryError);

       PKIX_RETURN(BUILD);
}

/*
* FUNCTION: pkix_CacheCrlEntry_Add
* DESCRIPTION:
*
*  Look up CrlEntry Hash Table for a cached item based on "store",
*  "certIssuer" and "certSerialNumber" as the hash keys and have "pCrls" as
*  the hash value. If there isn't an item to match the key, a PKIX_FALSE is
*  returned at "pFound".
*  This hashtable is maintained in the following way:
*  1) When creating the hashtable, maximum bucket size can be specified (0 for
*     unlimited). If items in a bucket reaches its full size, an new addition
*     will trigger the removal of the old as FIFO sequence.
*
* PARAMETERS:
*  "store"
*      Address of CertStore as key to retrieve this CertChain. Must be 
*      non-NULL.
*  "certIssuer"
*      Address of X500Name that is used as key to retrieve the CRLEntries.
*      Must be non-NULL.
*  "certSerialNumber"
*      Address of BigInt that is used as key to retrieve the CRLEntries.
*      Must be non-NULL.
*  "crls"
*      Address PKIX_List where the CRLEntry is stored. Must be no-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns an Error Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_CacheCrlEntry_Add(
       PKIX_CertStore *store,
       PKIX_PL_X500Name *certIssuer,
       PKIX_PL_BigInt *certSerialNumber,
       PKIX_List* crls,
       void *plContext)
{
       PKIX_List *cachedKeys = NULL;
       PKIX_Error *cachedCrlEntryError = NULL;

       PKIX_ENTER(BUILD, "pkix_CacheCrlEntry_Add");
       PKIX_NULLCHECK_THREE(store, certIssuer, certSerialNumber);
       PKIX_NULLCHECK_ONE(crls);

       /* Add CrlEntry(s) by issuer and serial number */
        
       PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
                   PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys, (PKIX_PL_Object *)store, plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys, (PKIX_PL_Object *)certIssuer, plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (cachedKeys,
                   (PKIX_PL_Object *)certSerialNumber,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       cachedCrlEntryError = PKIX_PL_HashTable_Add
                   (cachedCrlEntryTable,
                   (PKIX_PL_Object *) cachedKeys,
                   (PKIX_PL_Object *) crls,
                   plContext);
       pkix_ceAddCount++;

cleanup:

       PKIX_DECREF(cachedKeys);
       PKIX_DECREF(cachedCrlEntryError);

       PKIX_RETURN(BUILD);
}

#ifdef PKIX_OBJECT_LEAK_TEST

/* TEST_START_FN and testStartFnStackPosition define at what state
* of the stack the object leak testing should begin. The condition
* in pkix_CheckForGeneratedError works the following way: do leak
* testing if at position testStartFnStackPosition in stack array
* (fnStackNameArr) we have called function TEST_START_FN.
* Note, that stack array get filled only when executing libpkix
* functions.
* */
#define TEST_START_FN "PKIX_BuildChain"

PKIX_Error*
pkix_CheckForGeneratedError(PKIX_StdVars * stdVars, 
                           PKIX_ERRORCLASS errClass, 
                           char * fnName,
                           PKIX_Boolean *errSetFlag,
                           void * plContext)
{
   PKIX_Error *genErr = NULL;
   PKIX_UInt32 pos = 0;
   PKIX_UInt32 strLen = 0;

   if (fnName) { 
       if (fnStackNameArr[testStartFnStackPosition] == NULL ||
           strcmp(fnStackNameArr[testStartFnStackPosition], TEST_START_FN)
           ) {
           /* return with out error if not with in boundary */
           return NULL;
       }
       if (!strcmp(fnName, TEST_START_FN)) {
           *errSetFlag = PKIX_TRUE;
           noErrorState = PKIX_FALSE;
           errorGenerated = PKIX_FALSE;
       }
   }   

   if (noErrorState || errorGenerated)  return NULL;

   if (fnName && (
       !strcmp(fnName, "PKIX_PL_Object_DecRef") ||
       !strcmp(fnName, "PKIX_PL_Object_Unlock") ||
       !strcmp(fnName, "pkix_UnlockObject") ||
       !strcmp(fnName, "pkix_Throw") ||
       !strcmp(fnName, "pkix_trace_dump_cert") ||
       !strcmp(fnName, "PKIX_PL_Free"))) {
       /* do not generate error for this functions */
       noErrorState = PKIX_TRUE;
       *errSetFlag = PKIX_TRUE;
       return NULL;
   }

   if (PL_HashTableLookup(fnInvTable, &fnStackInvCountArr[stackPosition - 1])) {
       return NULL;
   }

   PL_HashTableAdd(fnInvTable, &fnStackInvCountArr[stackPosition - 1], nonNullValue);
   errorGenerated = PKIX_TRUE;
   noErrorState = PKIX_TRUE;
   genErr = PKIX_DoThrow(stdVars, errClass, PKIX_MEMLEAKGENERATEDERROR,
                         errClass, plContext);
   while(fnStackNameArr[pos]) {
       strLen += PORT_Strlen(fnStackNameArr[pos++]) + 1;
   }
   strLen += 1; /* end of line. */
   pos = 0;
   errorFnStackString = PORT_ZAlloc(strLen);
   while(fnStackNameArr[pos]) {
       strcat(errorFnStackString, "/");
       strcat(errorFnStackString, fnStackNameArr[pos++]);
   }
   noErrorState = PKIX_FALSE;
   
   return genErr;
}
#endif /* PKIX_OBJECT_LEAK_TEST */