Certificate operations fall into two general areas:
To support new certificate types and new uses of certificates, the sign and verify operations in the Certificate Library Interface support a scope parameter. The scope parameter enables an application to sign a portion of the certificate, namely the fields identified by the scope. This enables future certificate models, which are expected to allow field signing. CL modules that support existing certificate formats, such as X.509 Version 1, which sign and verify a pre-defined portion of the certificate, will ignore this parameter.
The CL module's certificate format is exposed via its fields. These fields will consist of tag/value pairs, where the tag is an object identifier (OID). These OIDs reference specific data types or data structures within the certificate or CRL. OIDs are defined by the certificate library developer at a granularity appropriate for the expected usage of the CL.
Operations on certificate revocation lists comprise cryptographic operations and field management operations on the CRL as a whole, and on individual revocation records. The entire CRL can be signed or verified. This will ensure the integrity of the CRL's contents as it is passed between systems. Individual revocation records may be signed when they are revoked and verified when they are queried, as determined by the CL Module. Certificates may be revoked and unrevoked by adding or removing them from the CRL at any time prior to its being signed. The contents of the CRL can be queried for all of its revocation records, specific certificates, or individual CRL fields.
A pass-through function is included in the Certificate Library Interface to allow certificate libraries to expose additional services beyond what is currently defined in the CSSM API. These services should be syntactic in nature, meaning that they should be dependent on the data format of the certificates and CRLs manipulated by the library. CSSM will pass an operation identifier and input parameters from the application to the appropriate certificate library. Within the CL_PassThrough function in the certificate library, the input parameters will be interpreted and the appropriate operation performed. The certificate library developer is responsible for making known to the application the identity and parameters of the supported pass-through operations.
These data structures are used by applications to prepare data to be passed as input parameters into CSSM API function calls which will be passed without modification to the appropriate CL. The CL is then responsible for interpreting them and returning the appropriate data structure to the calling application via CSSM.
typedef struct cssm_spi_cl_funcs {
CSSM_RETURN (CSSMAPI *CertCreateTemplate)
(CSSM_CL_HANDLE CLHandle,
uint32 NumberOfFields,
const CSSM_FIELD *CertFields,
CSSM_DATA_PTR CertTemplate);
CSSM_RETURN (CSSMAPI *CertGetAllTemplateFields)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *CertTemplate,
uint32 *NumberOfFields,
CSSM_FIELD_PTR *CertFields);
CSSM_RETURN (CSSMAPI *CertSign)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *CertTemplate,
const CSSM_FIELD *SignScope,
uint32 ScopeSize,
CSSM_DATA_PTR SignedCert);
CSSM_RETURN (CSSMAPI *CertVerify)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *CertToBeVerified,
const CSSM_DATA *SignerCert,
const CSSM_FIELD *VerifyScope,
uint32 ScopeSize);
CSSM_RETURN (CSSMAPI *CertVerifyWithKey)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *CertToBeVerified);
CSSM_RETURN (CSSMAPI *CertGetFirstFieldValue)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
const CSSM_OID *CertField,
CSSM_HANDLE_PTR ResultsHandle,
uint32 *NumberOfMatchedFields,
CSSM_DATA_PTR *Value);
CSSM_RETURN (CSSMAPI *CertGetNextFieldValue)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE ResultsHandle,
CSSM_DATA_PTR *Value);
CSSM_RETURN (CSSMAPI *CertAbortQuery)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE ResultsHandle);
CSSM_RETURN (CSSMAPI *CertGetKeyInfo)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
CSSM_KEY_PTR *Key);
CSSM_RETURN (CSSMAPI *CertGetAllFields)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
uint32 *NumberOfFields,
CSSM_FIELD_PTR *FieldList);
CSSM_RETURN (CSSMAPI FreeFields)
(CSSM_CL_HANDLE CLHandle,
uint32 NumberOfFields,
CSSM_FIELD_PTR FieldArray);
CSSM_RETURN (CSSMAPI *FreeFieldValue)
(CSSM_CL_HANDLE CLHandle,
const CSSM_OID *CertOrCrlOid,
CSSM_DATA_PTR Value);
CSSM_RETURN (CSSMAPI *CertCache)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
CSSM_HANDLE_PTR CertHandle);
CSSM_RETURN (CSSMAPI *CertGetFirstCachedFieldValue)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE CertHandle,
const CSSM_OID *CertField,
CSSM_HANDLE_PTR ResultsHandle,
uint32 *NumberOfMatchedFields,
CSSM_DATA_PTR *FieldValue);
CSSM_RETURN (CSSMAPI *CertGetNextCachedFieldValue)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE ResultsHandle,
CSSM_DATA_PTR *FieldValue);
CSSM_RETURN (CSSMAPI *CertAbortCache)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE CertHandle);
CSSM_RETURN (CSSMAPI *CertGroupToSignedBundle)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_CERTGROUP *CertGroupToBundle,
const CSSM_DATA *SignerCert,
const CSSM_CERT_BUNDLE_HEADER *BundleInfo,
CSSM_DATA_PTR SignedBundle);
CSSM_RETURN (CSSMAPI *CertGroupFromVerifiedBundle)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_CERT_BUNDLE *CertBundle,
const CSSM_DATA *SignerCert,
CSSM_CERTGROUP_PTR *CertGroup);
CSSM_RETURN (CSSMAPI *CertDescribeFormat)
(CSSM_CL_HANDLE CLHandle,
uint32 *NumberOfOids,
CSSM_OID_PTR *OidList);
CSSM_RETURN (CSSMAPI *CrlCreateTemplate)
(CSSM_CL_HANDLE CLHandle,
uint32 NumberOfFields,
const CSSM_FIELD *CrlTemplate,
CSSM_DATA_PTR NewCrl);
CSSM_RETURN (CSSMAPI *CrlSetFields)
(CSSM_CL_HANDLE CLHandle,
uint32 NumberOfFields,
const CSSM_FIELD *CrlTemplate,
const CSSM_DATA *OldCrl,
CSSM_DATA_PTR ModifiedCrl);
CSSM_RETURN (CSSMAPI *CrlAddCert)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *Cert,
uint32 NumberOfFields,
const CSSM_FIELD *CrlEntryFields,
const CSSM_DATA *OldCrl,
CSSM_DATA_PTR NewCrl);
CSSM_RETURN (CSSMAPI *CrlRemoveCert)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
const CSSM_DATA *OldCrl,
CSSM_DATA_PTR NewCrl);
CSSM_RETURN (CSSMAPI *CrlSign)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *UnsignedCrl,
const CSSM_FIELD *SignScope,
uint32 ScopeSize,
CSSM_DATA_PTR SignedCrl);
CSSM_RETURN (CSSMAPI *CrlVerify)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *CrlToBeVerified,
const CSSM_DATA *SignerCert,
const CSSM_FIELD *VerifyScope,
uint32 ScopeSize);
CSSM_RETURN (CSSMAPI *CrlVerifyWithKey)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *CrlToBeVerified);
CSSM_RETURN (CSSMAPI *IsCertInCrl)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
const CSSM_DATA *Crl,
CSSM_BOOL *CertFound);
CSSM_RETURN (CSSMAPI *CrlGetFirstFieldValue)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Crl,
const CSSM_OID *CrlField,
CSSM_HANDLE_PTR ResultsHandle,
uint32 *NumberOfMatchedFields,
CSSM_DATA_PTR *Value);
CSSM_RETURN (CSSMAPI *CrlGetNextFieldValue)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE ResultsHandle,
CSSM_DATA_PTR *Value);
CSSM_RETURN (CSSMAPI *CrlAbortQuery)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE ResultsHandle);
CSSM_RETURN (CSSMAPI *CrlGetAllFields)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Crl,
uint32 *NumberOfCrlFields,
CSSM_FIELD_PTR *CrlFields);
CSSM_RETURN (CSSMAPI *CrlCache)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Crl,
CSSM_HANDLE_PTR CrlHandle);
CSSM_RETURN (CSSMAPI *IsCertInCachedCrl)
(CSSM_CL_HANDLE CLHandle,
const CSSM_DATA *Cert,
CSSM_HANDLE CrlHandle,
CSSM_BOOL *CertFound,
CSSM_DATA_PTR CrlRecordIndex);
CSSM_RETURN (CSSMAPI *CrlGetFirstCachedFieldValue)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE CrlHandle,
const CSSM_DATA *CrlRecordIndex,
const CSSM_OID *CrlField,
CSSM_HANDLE_PTR ResultsHandle,
uint32 *NumberOfMatchedFields,
CSSM_DATA_PTR *FieldValue);
CSSM_RETURN (CSSMAPI *CrlGetNextCachedFieldValue)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE ResultsHandle,
CSSM_DATA_PTR *FieldValue);
CSSM_RETURN (CSSMAPI *CrlGetAllCachedRecordFields)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE CrlHandle,
const CSSM_DATA *CrlRecordIndex,
uint32 *NumberOfFields,
CSSM_FIELD_PTR *Fields);
CSSM_RETURN (CSSMAPI *CrlAbortCache)
(CSSM_CL_HANDLE CLHandle,
CSSM_HANDLE CrlHandle);
CSSM_RETURN (CSSMAPI *CrlDescribeFormat)
(CSSM_CL_HANDLE CLHandle,
uint32 *NumberOfOids,
CSSM_OID_PTR *OidList);
CSSM_RETURN (CSSMAPI *PassThrough)
(CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
uint32 PassThroughId,
const void * InputParams,
void **OutputParams);
} CSSM_SPI_CL_FUNCS, *CSSM_SPI_CL_FUNCS_PTR;
All certificate library service provider modules can return the following common error codes from any certificate library service function. These error codes are not repeated in individual function definitions.
CL_CertCreateTemplate
CSSM_RETURN CSSMCLI CL_CertCreateTemplate (CSSM_CL_HANDLE CLHandle, uint32 NumberOfFields const CSSM_FIELD *CertFields, CSSM_DATA_PTR CertTemplate)
This function allocates and initializes memory for an encoded certificate template output in CertTemplate->Data. The template values are specified by the input OID/value pairs contained in CertFields. The initialization process includes encoding all certificate field values according to the certificate type and certificate encoding supported by the certificate library module.The memory for CerTemplate->Data is allocated by the service provider using the calling application's memory management routines. The application must deallocate the memory.
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- NumberOfFields (input)
The number of certificate field values specified in the CertFields.
- CertFields (input)
A pointer to an array of OID/value pairs that identify the field values to initialize a new certificate.
- CertTemplate (output)
A pointer to a CSSM_DATA structure that will contain the unsigned certificate template as a result of this function.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetAllTemplateFields()
CL_CertSign()
CL_CertGetAllTemplateFields
CSSM_RETURN CSSMCLI CL_CertGetAllTemplateFields (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *CertTemplate, uint32 *NumberOfFields, CSSM_FIELD_PTR *CertFields)
This function extracts and returns a copy of the values stored in the encoded CertTemplate. The memory for the CertFields output is allocated by the service provider using the calling application's memory management routines. The application must deallocate the memory by callingCSSM_CL_FreeFields() .
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- CertTemplate (input)
A pointer to the CSSM_DATA structure containing the packed, encoded certificate template.
- NumberOfFields (output)
The length of the output array of fields.
- CertFields (output)
A pointer to an array of CSSM_FIELD structures which contains the OIDs and values of the fields of the input certificate template.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CSSM_CL_FreeFields()
CL_CertCreateTemplate()
CL_CertSign
CSSM_RETURN CSSMCLI CL_CertSign (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CertTemplate, const CSSM_FIELD *SignScope, uint32 ScopeSize, CSSM_DATA_PTR *SignedCert)
This function signs a certificate using the private key and signing algorithm specified in the CCHandle. The result is a signed, encoded certificate in SignedCert. The certificate field values are specified in the input certificate template. The template is constructed usingCL_CertCreateTemplate() . The template is in the default format for this CL.The CCHandle must be a signature context created using the function
CSSM_CSP_CreateSignatureContext() . The context must specify the Cryptographic Services Provider module, the signing algorithm, and the signing key that must be used to perform this operation. The context must also provide the passphrase or a callback function to obtain the passphrase required to access and use the private key.The fields included in the signing operation are identified by the OIDs in the optional SignScope array.
The memory for the SignedCert->Data output is allocated by the service provider using the calling application's memory management routines. The application must deallocate the memory.
- CLHandle (input)
The handle that describes the certificate library module used to perform this operation.
- CCHandle (input)
A signature context defining the CSP, signing algorithm, and private key that must be used to perform the operation. The passphrase for the private key is also provided.
- CertTemplate (input)
A pointer to a CSSM_DATA structure containing a certificate template in the default format supported by this CL. The template contains values that are currently contained in or will be contained in a signed certificate.
- SignScope (input/optional)
A pointer to the CSSM_FIELD array containing the OID/value pairs of the fields to be signed. A null input signs all the fields provided by CertTemplate
- ScopeSize (input)
The number of entries in the SignScope list. If the sign scope is not specified, the input value for scope size must be zero.
- SignedCert (output)
A pointer to the CSSM_DATA structure containing the signed certificate.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertVerify()
CL_CertVerifyWithKey()
CL_CertCreateTemplate()
CL_CertVerify
CSSM_RETURN CSSMCLI CL_CertVerify (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CertToBeVerified, const CSSM_DATA *SignerCert, const CSSM_FIELD *VerifyScope, uint32 ScopeSize)
This function verifies that the signed certificate has not been altered since it was signed by the designated signer. Only one signature is verified by this function. If the certificate to be verified includes multiple signatures, this function must be applied once for each signature to be verified. This function verifies a digital signature over the certificate fields specified by VerifyScope. If the verification scope fields are not specified, the function performs verification using a pre-selected set of fields in the certificate.The caller can specify a cryptographic service provider and verification algorithm the CL can use to perform the verification. The handle for the CSP is contained in the cryptographic context identified by CCHandle.
The verification process requires that the caller specifies the necessary verification algorithm parameters. These parameter values are specified in one of two prioritized locations:
- As a field value in the SignerCert
- As a set of algorithm parameters contained in the cryptographic context identified by CCHandle
The Certificate Library module uses the first set of algorithm parameters encountered in this priority order. If no algorithm parameters are found, the certificate can not be verified and the operation fails.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CCHandle (input/optional)
The handle that describes the context of this cryptographic operation.
- CertToBeVerified (input)
A pointer to the CSSM_DATA structure containing a certificate containing at least one signature for verification. An unsigned certificate template cannot be verified.
- SignerCert (input/optional)
A pointer to the CSSM_DATA structure containing the certificate used to sign the subject certificate. This certificate provides the public key to use in the verification process and if the certificate being verified contains multiple signatures, the signer's certificate indicates which signature is to be verified.
- VerifyScope (input/optional)
A pointer to the CSSM_FIELD array containing the tag/value pairs of the fields to be used in verifying the signature (that is, the fields that were used to calculate the signature). If the verify scope is null, the certificate library module assumes that its default set of certificate fields were used to calculate the signature and those same fields are used in the verification process.
- ScopeSize (input)
The number of entries in the verify scope list. If the verification scope is not specified, the input value for scope size must be zero.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertSign()
CL_CertVerifyWithKey
CSSM_RETURN CSSMAPI CL_CertVerifyWithKey (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CertToBeVerified)
This function verifies that the CertToBeVerified was signed using a specific private key and that the certificate has not been altered since it was signed using that private key. The public key corresponding to the private signing key is used in the verification process.The CCHandle, must be a signature verification context created using the function
CSP_CreateSignatureContext() . The context must specify the Cryptographic Services Provider module, the verification algorithm, and the public verification key that must be used to perform this operation.
- CLHandle (input)
The handle that describes the certificate library service module used to perform this function.
- CCHandle (input)
A signature verification context defining the CSP, verification algorithm, and public key that must be used to perform the operation.
- CertToBeVerified (input)
A signed certificate whose signature is to be verified.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertVerify()
CL_CrlVerify()
CL_CertGetFirstFieldValue
CSSM_RETURN CSSMCLI CL_CertGetFirstFieldValue (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Cert, const CSSM_OID *CertField, CSSM_HANDLE_PTR ResultsHandle, uint32 *NumberOfMatchedFields, CSSM_DATA_PTR *Value)
This function returns the value of the certificate field designated by the CSSM_OID CertField. The OID also identifies the data format for the field value returned to the caller. If multiple OIDs name the same certificate field, then each such OID defines a distinct data format for the returned field value. The functionCL_CertDescribeFormat() provides a list of all CSSM_OID values supported by a certificate library module for naming fields of a certificate.If more than one field matches the CertField OID, the first matching field will be returned. The number of matching fields is an output parameter, as is the ResultsHandle to be used to retrieve the remaining matching fields.
The set of matching fields is determined by this function. The number of matching fields and the field values do not change between this function and subsequent calls to
CL_CertGetNextFieldValue() .
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing the certificate.
- CertField (input)
A pointer to an object identifier that identifies the field value to be extracted from the Cert.
- ResultsHandle (output)
A pointer to the CSSM_HANDLE that should be used to obtain any additional matching fields.
- NumberOfMatchedFields (output)
The total number of fields that match the CertField OID. This count includes the first match, which was returned by this function.
- Value (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*Value)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *Value and (*Value)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition. See the corresponding function call definition in Part 2 of this document.
CL_CertGetNextFieldValue()
CL_CertAbortQuery()
CL_CertGetAllFields()
CL_CertDescribeFormat()
CL_FreeFieldValue()
CL_CertGetNextFieldValue
CSSM_RETURN CSSMCLI CL_CertGetNextFieldValue (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE ResultsHandle, CSSM_DATA_PTR *Value)
This function returns the value of a certificate field, when that field occurs multiple times in a certificate. Certificates with repeated fields (such as multiple signatures) have multiple field values corresponding to a single OID. A call to the functionCL_CertGetFirstFieldValue() returns a results handle identifying the size and values contained in the result set. TheCL_CertGetNextFieldValue() function can be called repeatedly to obtain these values, one at a time. The result set does not change in size or value between calls to this function.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- ResultsHandle (input)
The handle that identifies the results of a certificate query.
- Value (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*Value)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *Value and (*Value)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetFirstFieldValue()
CL_CertAbortQuery()
CSSM_CL_FreeFields()
CL_CertAbortQuery
CSSM_RETURN CSSMCLI CL_CertAbortQuery (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE ResultsHandle)
This function terminates a results handle used to access multiple certificate fields identified by a single OID. The ResultsHandle was created and returned byCL_CertGetFirstFieldValue() or byCL_CertGetFirstCachedFieldValue() . The CL releases all intermediate state information associated with the repeating-value query. Once this function has been invoked, the results handle is invalid.Applications must invoke this function to terminate the ResultsHandle. Using
CL_CertGetNextFieldValue() orCL_CertGetNextCachedFieldValue() to access all of the attributes named by a single OID does not terminate the ResultsHandle. This function can be invoked to terminate the results handle without accessing all of the values identified by the single OID.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- ResultsHandle (input)
The handle that identifies the results of a certificate query.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetFirstFieldValue()
CL_CertGetNextFieldValue()
CL_CertGetFirstCachedFieldValue()
CL_CertGetNextCachedFieldValue()
CL_CertGetKeyInfo
CSSM_RETURN CSSMCLI CL_CertGetKeyInfo (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Cert, CSSM_KEY_PTR *Key)
This function obtains information about the certificate's public key. Ideally, this information comprises the key fields the application needs to create a cryptographic context that uses this certificate's key.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing the certificate from which to extract the public key information.
- Key (output)
A pointer to the CSSM_KEY structure containing the public key and possibly other key information. The CSSM_KEY structure and its sub-structures are allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetFirstFieldValue()
CL_FreeFieldValue()
CL_FreeFields
CSSM_RETURN CSSMCLI CL_FreeFields (CSSM_CL_HANDLE CLHandle, uint32 NumberOfFields, CSSM_FIELD_PTR FieldArray)
This function frees the fields in the FieldArray by freeing the data pointers for both the FieldOid and FieldValue fields. It also frees the top level FieldArray pointer. This function should only be used to free CSSM_FIELD_PTR values returned from the following calls:
CSSM_TP_CertGetAllTemplateFields()
CSSM_CL_CertGetAllTemplateFields()
CSSM_CL_CertGetAllFields()
CSSM_CL_CrlGetAllFields()
CSSM_CL_CrlGetAllCachedRecordFields()
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- NumberOfFields (output)
The length of the array of fields in FieldArray.
- FieldArray (output)
A pointer to an array of CSSM_FIELD structures that need to be deallocated.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetFirstFieldValue
CL_CertDescribeFormat
CL_FreeFieldValue
CL_CertGetAllFields
CSSM_RETURN CSSMCLI CL_CertGetAllFields (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Cert, uint32 *NumberOfFields, CSSM_FIELD_PTR *FieldList)
This function returns a list of the fields in the input certificate, as described by their OID/value pairs.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing the certificate whose fields will be returned.
- NumberOfFields (output)
The length of the output CSSM_FIELD array.
- FieldList (output)
A pointer to an array of CSSM_FIELD structures that contain the values of all of the fields of the input certificate. The field list is allocated by the service provider and must be de-allocated by the application by callingCSSM_CL_FreeFields() .
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetFirstFieldValue()
CL_CertDescribeFormat()
CL_FreeFieldValue()
CL_FreeFieldValue
CSSM_RETURN CSSMCLI CL_FreeFieldValue (CSSM_CL_HANDLE CLHandle, const CSSM_OID *CertOrCrlOid, CSSM_DATA_PTR Value)
This function frees the data specified by Value and Value->Data. CertOrCrlOid indicates the type of the data in Value.This function should only be used to free CSSM_DATA values returned from calls to:
CL_CertGetFirstFieldValue()
CL_CertGetNextFieldValue()
CL_CertGetFirstCachedFieldValue()
CL_CertGetNextCachedFieldValue()
CL_CrlGetFirstFieldValue()
CL_CrlGetNextFieldValue()
CL_CrlGetFirstCachedFieldValue()
CL_CrlGetNextCachedFieldValue()
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CertOrCrlField (input)
A pointer to the CSSM_OID structure containing the type of the Value to be freed.
- Value (input)
A pointer to the CSSM_DATA structure containing the Data to be freed.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertCache
CSSM_RETURN CSSMCLI CL_CertCache (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Cert, CSSM_HANDLE_PTR CertHandle)
This function caches a copy of a certificate for subsequent accesses using the functionsCL_CertGetFirstCachedFieldValue() andCL_CertGetNextCachedFieldValue.() The input certificate must be in an encoded representation. The Certificate Library module can cache the certificate in any appropriate internal representation. Parsed or incrementally parsed representations are common. The selected representation is opaque to the caller.
The application must call
CL_CertAbortCache() to remove the cached copy when additional get operations will not be performed on the cached certificate.
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing the encoded certificate.
- CertHandle (output)
A pointer to the CSSM_HANDLE that should be used in all future references to the cached certificate.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CSSM_CL_CertGetFirstCachedFieldValue()
CSSM_CL_CertGetNextCachedFieldValue()
CSSM_CL_CertAbortQuery()
CSSM_CL_CertAbortCache()
CL_CertGetFirstCachedFieldValue
CSSM_RETURN CSSMCLI CL_CertGetFirstCachedFieldValue (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE CertHandle, const CSSM_OID *CertField, CSSM_HANDLE_PTR ResultsHandle, uint32 *NumberOfMatchedFields, CSSM_DATA_PTR *FieldValue)
This function returns a single structure containing a set of field values from the cached certificate identified by CertHandle. The selected fields are designated by the CSSM_OID CertField and returned in the output parameter FieldValue. The OID also identifies the data format of the values returned to the caller. If multiple OIDs designate the same certificate field, then each such OID defines a distinct data format for the returned values. The functionCL_CertDescribeFormat() provides a list of all CSSM_OID values supported by a certificate library module for naming fields of a certificate.The CertField OID can identify a single occurrence of a set of certificate fields, or multiple occurrences of a set of certificate fields. If the CertField OID matches more than one occurrence, this function outputs the total number of matches and a ResultsHandle to be used as input to
CertGetNextCachedFieldValue() to retrieve the remaining matches. The first match is returned as the return value of this function.This function determines the complete set of matches. The number of matches and the selected field values do not change between this function and subsequent calls to
CL_CertGetNextCachedFieldValue() .
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CertHandle (input)
A handle identifying a certificate that the application has temporarily cached with the Certificate Library module. The referenced certificate is searched for the field value named by CertField.
- CertField (input)
A pointer to an object identifier that identifies the field value to be extracted from the Cert.
- ResultsHandle (output)
A pointer to the CSSM_HANDLE that should be used to obtain any additional matching fields.
- NumberOfMatchedFields (output)
The total number of fields that match the CertField OID. This count includes the first match, which was returned by this function.
- FieldValue (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*FieldValue)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *FieldValue and (*FieldValue)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetNextCachedFieldValue()
CL_CertAbortCache()
CL_CertAbortQuery()
CL_CertGetAllFields()
CL_CertDescribeFormat()
CL_CertGetNextCachedFieldValue
CSSM_RETURN CSSMCLI CL_CertGetNextCachedFieldValue (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE ResultsHandle, CSSM_DATA_PTR *FieldValue)
This function returns the value of a certificate field, when that field occurs multiple times in a certificate. Certificates with repeated fields (such as multiple signatures) have multiple field values corresponding to a single OID. A call to the functionCL_CertGetFirstCachedFieldValue() returns a ResultsHandle identifying the size and values contained in the result set. TheCSSM_CL_CertGetNextCachedFieldValue() function can be called repeatedly to obtain these values, one at a time. The result set does not change in size or value between calls to this function.
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- ResultsHandle (input)
The handle that identifies the results of a certificate query.
- FieldValue (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*FieldValue)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *FieldValue and (*FieldValue)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGetFirstCachedFieldValue()
CL_CertAbortCache()
CL_CertAbortQuery()
CL_CertGetAllFields()
CL_CertDescribeFormat()
CL_FreeFieldValue()
CL_CertAbortCache
CSSM_RETURN CSSMCLI CL_CertAbortCache (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE CertHandle)
This function terminates a certificate cache handle created and returned by the functionCL_CertCache() . The Certificate Library module releases all cache space and state information associated with the cached certificate.
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- CertHandle (input)
The handle that identifies the cached certificate.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertCache()
CL_CertGroupToSignedBundle
CSSM_RETURN CSSMCLI CL_CertGroupToSignedBundle (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_CERTGROUP *CertGroupToBundle, const CSSM_DATA *SignerCert, const CSSM_CERT_BUNDLE_HEADER *BundleInfo, CSSM_DATA_PTR SignedBundle)
This function accepts as input a certificate group (as an array of individual certificates) and returns a certificate bundle (a codified and signed aggregation of the certificates in the group). The certificate group will first be encoded according to the BundleInfo input by the user. If BundleInfo is NULL, the library will perform a default encoding for its default bundle type. If possible, the certificate group ordering will be maintained in this certificate aggregate encoding. After encoding, the certificate aggregate will be signed using the input context and signer certificate. The CL module embeds knowledge of the signing scope for the bundle types it supports. The signature is then associated with the certificate aggregate according to the bundle type and encoding rules and is returned as a bundle to the calling application.
- CLHandle (input)
The handle of the add-in module to perform this operation.
- CCHandle (input/optional)
The handle of the cryptographic context to control the signing operation. The operation will fail if a signature is required for this type of bundle and the cryptographic context is not valid.
- CertGroupToBundle (input)
An array of individual, encoded certificates. All of the certificates in this list will be included in the resulting certificate bundle.
- SignerCert (input/optional)
If signing is required for this type of certificate bundle, this is the certificate to be used to sign the bundle. If a signing certificate is required but not specified, then the module will assume a default certificate. If a signature is not required for this certificate bundle type, this parameter will be ignored.
- BundleInfo (input/optional)
A structure containing the type and encoding of the bundle to be created. If the type and the encoding are not specified, then the module will assume a default bundle type and bundle encoding.
- SignedBundle (output)
The function returns a pointer to a signed certificate bundle containing all of the certificates in the certificate group. The bundle is of the type and encoding requested by the caller or is the default type defined by the library module if the BundleInfo was not specified by the caller. The SignedBundle->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGroupFromVerifiedBundle()
CL_CertGroupFromVerifiedBundle
CSSM_RETURN CSSMCLI CL_CertGroupFromVerifiedBundle (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_CERT_BUNDLE *CertBundle, const CSSM_DATA *SignerCert, CSSM_CERTGROUP_PTR *CertGroup)
This function accepts as input a certificate bundle (a codified and signed aggregation of the certificates in the group), verifies the signature of the bundle (if a signature is present) and returns a certificate group (as an array of individual certificates) including every certificate contained in the bundle. The signature on the certificate aggregate is verified using the cryptographic context and possibly using the input signer certificate. The CL module embeds the knowledge of the verification scope for the bundle types that it supports. A CL module's supported bundle types and encodings are available to applications by querying the CSSM registry. The type and encoding of the certificate bundle must be specified with the input bundle. If signature verification is successful, the certificate aggregate will be parsed into a certificate group whose order corresponds to the certificate aggregate ordering. This certificate group will then be returned to the calling application.
- CLHandle (input)
The handle of the add-in module to perform this operation.
- CCHandle (input)
The handle of the cryptographic context to control the verification operation.
- CertBundle (input)
A structure containing a reference to a signed, encoded bundle of certificates, and to descriptors of the type and encoding of the bundle. The bundled certificates are to be separated into a certificate group (list of individual encoded certificates). If the bundle type and bundle encoding are not specified, the add-in module may either attempt to decode the bundle assuming a default type and encoding or may immediately fail.
- SignerCert (input/optional)
The certificate to be used to verify the signature on the certificate bundle. If the bundle is signed but this field is not specified, then the module will assume a default certificate for verification.
- CertGroup (output)
A pointer to the certificate group, represented as an array of individual, encoded certificates. The certificate group and CSSM_CERTGROUP sub-structures are allocated by the service provider and must be deallocated by the application. The group contains all of the certificates contained in the certificate bundle.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CertGroupToSignedBundle()
CL_CertDescribeFormat
CSSM_RETURN CSSMCLI CL_CertDescribeFormat (CSSM_CL_HANDLE CLHandle, uint32 *NumberOfOids, CSSM_OID_PTR *OidList)
This function returns a list of the CSSM_OID values this certificate library module uses to name and reference fields of a certificate. Multiple CSSM_OID values can correspond to a single field. These OIDs can be provided as input toCL_CertGetFirstFieldValue() to retrieve field values from the certificate. The OID also implies the data format of the returned value. When multiple OIDs name the same field of a certificate, those OIDs have a different return data formats associated with them.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- NumberOfOids (output)
The length of the returned array of OIDs.
- OidList
A pointer to the array of CSSM_OIDs which represent the supported certificate format. The OID list is allocated by the service provider and must be de-allocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CSSM_CL_CertGetAllFields()
CSSM_CL_CertGetFirstFieldValue()
CL_CertGetFirstCachedFieldValue()
CL_CrlCreateTemplate
CSSM_RETURN CSSMCLI CL_CrlCreateTemplate (CSSM_CL_HANDLE CLHandle uint32 NumberOfFields, const CSSM_FIELD_PTR *CrlTemplate, CSSM_DATA_PTR NewCrl)
This function creates an unsigned, memory-resident CRL. Fields in the CRL are initialized with the descriptive data specified by the OID/value input pairs. The specified OID/value pairs can initialize all or a subset of the general attribute fields in the new CRL, though the module developer may specify a set of fields that must be or cannot be set using this operation. Subsequent values may be set using theCL_CrlSetFields() operation.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- NumberOfFields (input)
The number of OID/value pairs specified in the CrlTemplate input parameter.
- CrlTemplate (input)
Any array of field OID/value pairs containing the values to initialize the CRL attribute fields.
- NewCrl (output)
A pointer to the CSSM_DATA structure containing the new CRL. The NewCrl->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlSetFields()
CL_CrlAddCert()
CL_CrlSign()
CL_CertGetFirstFieldValue()
CL_CrlSetFields
CSSM_RETURN CSSMCLI CL_CrlSetFields (CSSM_CL_HANDLE CLHandle, uint32 NumberOfFields, const CSSM_FIELD_PTR *CrlTemplate, const CSSM_DATA_PTR *OldCrl, CSSM_DATA_PTR ModifiedCrl)
This function will set the fields of the input CRL to the new values, specified by the input OID/value pairs. The module developer may specify a set of fields that must be or cannot be set using this operation. This operation is valid only if the CRL has not been closed by the process of signing the CRL (that is, execution of the functionCL_CrlSign() ). Once the CRL has been signed, fields cannot be changed.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- NumberOfFields (input)
The number of OID/value pairs specified in the CrlTemplate input parameter.
- CrlTemplate (input)
Any array of field OID/value pairs containing the values to initialize the CRL attribute fields.
- OldCrl (input)
The CRL to be updated with the new attribute values. The CRL must be unsigned and available for update.
- ModifiedCrl (output)
A pointer to the modified, unsigned CRL. The ModifiedCrl->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CSSM_CL_CrlCreateTemplate()
CSSM_CL_CrlAddCert()
CSSM_CL_CrlSign()
CSSM_CL_CertGetFirstFieldValue()
CL_CrlAddCert
CSSM_RETURN CSSMCLI CL_CrlAddCert (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *Cert, uint32 NumberOfFields, const CSSM_FIELD *CrlEntryFields, const CSSM_DATA *OldCrl, CSSM_DATA_PTR NewCrl)
This function revokes the input certificate by adding a record representing the certificate to the CRL. The values for the new entry in the CRL are specified by the a list of OID/value input pairs. The module developer may specify that a certain set of fields must be or cannot be set by use of the list of OID/value pairs. If the CRL format supports the signing of individual records, new CRL entry is signed using the private key and signing algorithm specified in the CCHandle.The CCHandle must be a context created using the function
CSSM_CSP_CreateSignatureContext() . The context must specify the Cryptographic Services Provider module, the signing algorithm, and the signing key that must be used to perform this operation. The context must also provide the passphrase or a callback function to obtain the passphrase required to access and use the private key.The operation is valid only if the CRL has not been closed by the process of signing the CRL (that is, execution of the function
CL_CrlSign() ). Once the CRL has been signed, entries cannot be added or removed.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CCHandle (input/optional)
The handle that describes the context of this cryptographic operation.
- Cert (input)
A pointer to the CSSM_DATA structure containing the certificate to be revoked.
- NumberOfFields (input)
The number of OID/value pairs specified in the CrlEntryFields input parameter.
- CrlEntryFields (input)
An array of OID/value pairs specifying the initial values for descriptive data fields of the new CRL entry.
- OldCrl (input)
A pointer to the CSSM_DATA structure containing the CRL to which the newly revoked certificate will be added.
- NewCrl (output)
A pointer to the CSSM_DATA structure containing the updated CRL. The NewCrl->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlRemoveCert()
CL_CrlRemoveCert
CSSM_RETURN CSSMCLI CL_CrlRemoveCert (CSSM_CL_HANDLE CLHandle, const CSSM_DATA_PTR *Cert, const CSSM_DATA_PTR *OldCrl, CSSM_DATA_PTR NewCrl)
This function reinstates a certificate by removing it from the specified CRL. The operation is valid only if the CRL has not be closed by the process of signing the CRL (that is, execution of the functionCL_CrlSign() ). Once the CRL has been signed, entries cannot be added or removed.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing the certificate to be unrevoked.
- OldCrl (input)
A pointer to the CSSM_DATA structure containing the CRL from which the certificate is to be removed.
- NewCrl (output)
A pointer to the CSSM_DATA structure containing the updated CRL. The NewCrl->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlAddCert()
CL_CrlSign
CSSM_RETURN CSSMCLI CL_CrlSign (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *UnsignedCrl, const CSSM_FIELD *SignScope, uint32 ScopeSize, CSSM_DATA_PTR SignedCrl)
This function signs a certificate revocation list using the private key and signing algorithm specified in the CCHandle. The result is a signed, encoded certificate revocation list in SignedCrl. The unsigned CRL is specified in the input UnsignedCrl. The UnsignedCrl is constructed using theCSSM_CL_CrlCreateTemplate() ,CSSM_CL_CrlSetFields() ,CSSM_CL_CrlAddCert() , andCSSM_CL_CrlRemoveCert() functions.The CCHandle must be a context created using the function
CSSM_CSP_CreateSignatureContext() . The context must specify the Cryptographic Services Provider module, the signing algorithm, and the signing key that must be used to perform this operation. The context must also provide the passphrase or a callback function to obtain the passphrase required to access and use the private key.The fields included in the signing operation are identified by the OIDs in the optional SignScope array.
Once the CRL has been signed it may not be modified. This means that entries cannot be added or removed from the CRL through application of the
CL_CrlAddCert() orCL_CrlRemoveCert() operations. A signed CRL can be verified, applied to a data store, and searched for values.The memory for the SignedCrl->Data output is allocated by the service provider using the calling application's memory management routines. The application must deallocate the memory.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CCHandle (input)
The handle that describes the context of this cryptographic operation.
- UnsignedCrl (input)
A pointer to the CSSM_DATA structure containing the CRL to be signed.
- SignScope (input)
A pointer to the CSSM_FIELD array containing the tag/value pairs of the fields to be signed. A null input signs all the fields in the CRL.
- ScopeSize (input)
The number of entries in the sign scope list.
- SignedCrl (output)
A pointer to the CSSM_DATA structure containing the signed CRL. The SignedCrl->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlVerify()
CL_CrlVerify
CSSM_RETURN CSSMCLI CL_CrlVerify (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CrlToBeVerified, const CSSM_DATA *SignerCert, const CSSM_FIELD *VerifyScope, uint32 ScopeSize)
This function verifies that the signed CRL has not been altered since it was signed by the designated signer. It does this by verifying the digital signature over the fields specified by the VerifyScope parameter.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CCHandle (input)
The handle that describes the context of this cryptographic operation.
- CrlToBeVerified (input)
A pointer to the CSSM_DATA structure containing the CRL to be verified.
- SignerCert (input)
A pointer to the CSSM_DATA structure containing the certificate used to sign the CRL.
- VerifyScope (input)
A pointer to the CSSM_FIELD array containing the tag/value pairs of the fields to be verified. A null input verifies all the fields in the CRL.
- ScopeSize (input)
The number of entries in the verify scope list.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlSign()
CL_CrlVerifyWithKey
CSSM_RETURN CSSMCLI CL_CrlVerifyWithKey (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CrlToBeVerified)
This function verifies that the CrlToBeVerified was signed using a specific private key and that the certificate revocation list has not been altered since it was signed using that private key. The public key corresponding to the private signing key is used in the verification process.The cryptographic context indicated by CCHandle must be a signature verification context created using the function
CSP_CreateSignatureContext() . The context must specify the Cryptographic Services Provider module, the verification algorithm, and the public verification key that must be used to perform this operation.
- CLHandle (input)
The handle that describes the certificate library service module used to perform this function.
- CCHandle (input)
A signature verification context defining the CSP, verification algorithm, and public key that must be used to perform the operation.
- CrlToBeVerified (input)
A signed certificate revocation list whose signature is to be verified.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlVerify()
CL_IsCertInCrl
CSSM_RETURN CSSMCLI CL_IsCertInCrl (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Cert, const CSSM_DATA *Crl, CSSM_BOOL *CertFound)
This function searches the CRL for a record corresponding to the certificate. The result of the search is returned in CertFound. The CRL and the records within the CRL must be digitally signed. This function does not verify either signature. The caller should useCSSM_TP_CrlVerify() orCSSM_CL_CrlVerify() before invoking this function. Once the CRL has been verifiedi, the caller can invoke this function repeatedly without repeating the verification process.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing the certificate to be located.
- Crl (input)
A pointer to the CSSM_DATA structure containing the CRL to be searched.
- CertFound (output)
A pointer to a CSSM_BOOL indicating success or failure in finding the specified certificate in the CRL. CSSM_TRUE signifies that the certificate was found in the CRL. CSSM_FALSE indicates that the certificate was not found in the CRL.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetFirstFieldValue
CSSM_RETURN CSSMCLI CL_CrlGetFirstFieldValue (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Crl, const CSSM_OID *CrlField, CSSM_HANDLE_PTR ResultsHandle, uint32 *NumberOfMatchedFields, CSSM_DATA_PTR *Value)
This function returns the value of the CRL field designated by the CSSM_OID CrlField. The OID also identifies the data format for the field value returned to the caller. If multiple OIDs name the same CRL field, then each such OID defines a distinct data format for the returned field value. The functionCL_CrlDescribeFormat() provides a list of all CSSM_OID values supported by a certificate library module for naming fields of a CRL.If more than one field matches the CrlField OID, the first matching field will be returned. The number of matching fields is an output parameter, as is the ResultsHandle to be used to retrieve the remaining matching fields.
The set of matching fields is determined by this function. The number of matching fields and the field values do not change between this function and subsequent calls to
CL_CrlGetNextFieldValue() .
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Crl (input)
A pointer to the CSSM_DATA structure that contains the CRL from which the field is to be retrieved.
- CrlField (input)
A pointer to an object identifier that identifies the field value to be extracted from the Crl.
- ResultsHandle (output)
A pointer to the CSSM_HANDLE, which should be used to obtain any additional matching fields.
- NumberOfMatchedFields (output)
The total number of fields that match the CrlField OID. This count includes the first match, which was returned by this function.
- Value (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*Value)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *Value and (*Value)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetNextFieldValue()
CL_CrlAbortQuery()
CL_CrlGetAllFields()
CL_CrlGetNextFieldValue
CSSM_RETURN CSSMCLI CL_CrlGetNextFieldValue (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE ResultsHandle, CSSM_DATA_PTR *Value)
This function returns the value of a CRL field, when that field occurs multiple times in a CRL. CRLs with repeated fields (such as revocation records) have multiple field values corresponding to a single OID. A call to the functionCL_CrlGetFirstFieldValue() initiates the process and returns a results handle identifying the size and values contained in the result set. TheCL_CrlGetNextFieldValue() function can be called repeatedly to obtain these values, one at a time. The result set does not change in size or value between calls to this function.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- ResultsHandle (input)
The handle that identifies the results of a CRL query.
- Value (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*Value)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *Value and (*Value)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetFirstFieldValue()
CL_CrlAbortQuery()
CL_CrlAbortQuery
CSSM_RETURN CSSMCLI CL_CrlAbortQuery (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE ResultsHandle)
This function terminates the query initiated byCL_CrlGetFirstFieldValue() orCL_CrlGetFirstCachedFieldValue() and allows the CL to release all intermediate state information associated with the repeating-value get operation. Once this function has been invoked, the results handle is invalid.Applications must invoke this function to terminate the ResultsHandle. Using
CL_CrlGetNextFieldValue() orCL_CrlGetNextCachedFieldValue() to access all of the attributes named by a single OID does not terminate the ResultsHandle. This function can be invoked to terminate the results handle without accessing all of the values identified by the single OID.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- ResultsHandle (input)
The handle that identifies the results of a CRL query.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetFirstFieldValue()
CL_CrlGetNextFieldValue()
CL_CrlGetFirstCachedFieldValue()
CL_CrlGetNextCachedFieldValue()
CL_CrlGetAllFields
CSSM_RETURN CSSMCLI CL_CrlGetAllFields (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Crl, uint32 *NumberOfCrlFields, CSSM_FIELD_PTR *CrlFields)
This function returns one or more structures each containing a set of field values from the encoded, packed CRL contained in Crl. Each structure is returned in the FieldValue entry of the CSSM_FIELD structure CrlFields.. The parameter NumberOfCrlFields indicates the number of returned structures.The CRL can be signed or unsigned. This function does not perform any signature verification on the CRL fields or the CRL-records. Each CRL-record can be digitally signed when it is added to the CRL using the function
CL_CrlAddCert() .
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Crl (input)
A pointer to the CSSM_DATA structure that contains the encoded, packed, CRL from which field values are to be extracted.
- NumberOfCrlFields (output)
The number of entries in the array CrlFields.
- CrlFields (output)
A pointer to an array of OID-value pairs that describe the contents of the CRL. The extracted CRL fields are returned as the value portion of each OID-value pair. The field list is allocated by the service provider and must be deallocated by the application by callingCSSM_CL_FreeFields() .
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlCache
CSSM_RETURN CSSMCLI CL_CrlCache (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Crl, CSSM_HANDLE_PTR CrlHandle)
This function caches a copy of a CertificateRevocationList (CRL) for subsequent accesses using the functionsCL_CrlGetFirstFieldValue() andCL_CrlGetNextFieldValue() .The input CRL must be in an encoded representation. The Certificate Library module can cache the CRL in any appropriate internal represent. Parsed or incrementally parsed representations are common. The selected representation is opaque to the caller.
The application must call
CL_CrlCacheAbort() to remove the cached copy when additional get operations will not be performed on the cached CRL.
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- Crl (input)
A pointer to the CSSM_DATA structure containing the encoded CRL.
- CrlHandle (output)
A pointer to the CSSM_HANDLE that should be used in all future references to the cached CRL.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CSSM_CL_CrlGetFirstCachedFieldValue()
CSSM_CL_CrlGetNextCachedFieldValue()
CSSM_CL_IsCertInCachedCrl()
CSSM_CL_CrlAbortQuery()
CSSM_CL_CrlAbortCache()
CL_IsCertInCachedCrl
CSSM_RETURN CSSMCLI CL_IsCertInCachedCrl (CSSM_CL_HANDLE CLHandle, const CSSM_DATA *Cert, CSSM_HANDLE CrlHandle, CSSM_BOOL *CertFound, CSSM_DATA_PTR CrlRecordIndex)
This function searches the cached CRL for a record corresponding to the certificate. The result of the search is returned in CertFound. The CRL and the records within the CRL must be digitally signed. This function does not verify either signature. The caller should useTP_CrlVerify() orCL_CrlVerify() before invoking this function. Once the CRL has been verified, the caller can invoke this function repeatedly without repeating the verification process.If the certificate is found in the CRL, the CL module returns an index descriptor CrlRecordIndex for use with other Certificate Library CRL functions. The index provides more direct access to the selected CRL record.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- Cert (input)
A pointer to the CSSM_DATA structure containing an encoded, packed certificate.
- CrlHandle (input)
A handle identifying a CRL that the application has temporarily cached with the Certificate Library module. The referenced CRL is searched for a revocation record matching the specified Cert.
- CertFound (output)
A pointer to a CSSM_BOOL indicating success or failure in finding the specified certificate in the CRL. CSSM_TRUE signifies that the certificate was found in the CRL. CSSM_FALSE indicates that the certificate was not found in the CRL.
- CrlRecordIndex (output/optional)
A pointer to a CSSM_DATA structure containing an index descriptor for direct access to the located CRL record. CrlRecordIndex->Data is allocated by the service provider and must be deallocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetFirstCachedFieldValue()
CL_CrlGetNextCachedFieldValue()
CL_CrlGetAllCachedRecordFields()
CL_CrlCache()
CL_CrlAbortCache()
CL_CrlGetFirstCachedFieldValue
CSSM_RETURN CSSMCLI CL_CrlGetFirstCachedFieldValue (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE CrlHandle, const CSSM_DATA *CrlRecordIndex, const CSSM_OID *CrlField, CSSM_HANDLE_PTR ResultsHandle, uint32 *NumberOfMatchedFields, const CSSM_DATA_PTR *FieldValue)
This function returns a single structure containing a set of field values from the cached CRL identified by CrlHandle.TheselectedfieldsaredesignatedbytheCSSM_OID CrlField and returned in the output parameter FieldValue. The OID also identifies the data format of the values returned to the caller. If multiple OIDs designate the same CRL field, then each such OID defines a distinct data format for the returned values. The functionCL_CrlDescribeFormat() provides a list of all CSSM_OID values supported by a CL module for naming fields of a CRL.The search can be limited to a particular revocation record within the CRL. A single record is identified by the CrlRecordIndex, which is returned by the function
CL_IsCertInCachedCrl() . If no record index is supplied, the search is initiated from the beginning of the CRL.The CRL can be signed or unsigned. This function does not perform any signature verification on the CRL fields or the CRL-records. Each CRL-record may be digitally signed when it is added to the CRL using the function
CL_CrlAddCert() . The caller can examine fields in the CRL and CRL-records at any time using this function.The CrlField OID can identify a single occurrence of a set of CRL fields, or multiple occurrences of a set of CRL fields. If the CrlField OID matches more than one occurrence, this function outputs the total number of matches and a ResultsHandle to be used as input to
CSSM_CrlGetNextFieldValue() to retrieve the remaining matches. The first match is returned as the return value of this function..This function determines the complete set of matches. The number of matches and the selected field values do not change between this function and subsequent calls to
CL_CrlGetNextFieldValue.()
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CrlHandle (input)
A handle identifying a CRL that the application has temporarily cached with the Certificate Library module. The referenced CRL is searched for the field values identified by CrlField.
- CrlRecordIndex (input/optional)
An index value identifying a particular revocation record in a cached CRL. If an index value is supplied, the scan for the field values identified by CrlField is limited to the pre-selected revocation record.
- CrlField (input)
A pointer to an object identifier that identifies the field value to be extracted from the Crl.
- ResultsHandle (output)
A pointer to the CSSM_HANDLE, which should be used to obtain any additional matching fields.
- NumberOfMatchedFields (output)
The total number of fields that match the CrlField OID. This count includes the first match, which was returned by this function.
- FieldValue (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*FieldValue)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *FieldValue and (*FieldValue)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetNextCachedFieldValue()
CL_IsCertInCachedCrl()
CL_CrlAbortQuery()
CL_CrlCache()
CL_CrlAbortCache()
CL_CrlDescribeFormat()
CL_FreeFieldValue()
CL_CrlGetNextCachedFieldValue
CSSM_RETURN CSSMCLI CL_CrlGetNextCachedFieldValue (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE ResultsHandle, const CSSM_DATA_PTR *FieldValue)
This function returns the value of a CRL field, when that field occurs multiple times in a CRL. CRLs with repeated fields (such as revocation records) have multiple field values corresponding to a single OID. A call to the functionCL_CrlGetFirstCachedFieldValue() initiates the process and returns a ResultsHandle identifying the size and values contained in the result set. TheCL_CrlGetNextCachedFieldValue() function can be called repeatedly to obtain these values, one at a time. The result set does not change in size or value between calls to this function.The results set selected by
CL_CrlGetFirstCachedFieldValue() and identified by ResultsHandle can reference CRL fields repeated across multiple revocation records or within one revocation record. The scope of the scan was set by an optional CrlRecordIndex input to the functionCL_CrlGetFirstCachedFieldValue() . If the record index was specified, then the results set is to the revocation record identified by the index. If no record index was specified, then the results set can include repeated fields from multiple revocation records in a CRL.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- ResultsHandle (input)
The handle that identifies the results of a CRL query.
- FieldValue (output)
A pointer to the structure containing the value of the requested field. The structure and the field at I "(*FieldValue)->Data" are allocated by the service provider. TheCSSM_CL_FreeFieldValue() function can be used to deallocate *FieldValue and (*FieldValue)->Data.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlGetFirstCachedFieldValue()
CL_CrlAbortQuery()
CL_IsCertInCachedCrl()
CL_CrlCache()
CL_CrlAbortCache()
CL_FreeFieldValue()
CL_CrlGetAllCachedRecordFields
CSSM_RETURN CSSMCLI CL_CrlGetAllCachedRecordFields (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE CrlHandle, Const CSSM_DATA_PTR *CrlRecordIndex, uint32 *NumberOfFields, CSSM_FIELD_PTR *Fields)
This function returns all field values from a pre-located, cached CRL record. The scanned CRL record is identified by CrlRecordIndex, which is returned by the functionCL_IsCertInCachedCrl() .Fields are returned as a set of OID-value pairs. The OID identifies the CRL record field and the data format of the value extracted from that field. The Certificate Library module defines and uses a preferred data format for returning field values in this function.
Each CRL record may be digitally signed when it is added to the CRL using the function
CL_CrlAddCert() . This function does not perform any signature verification on the CRL record.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CrlHandle (input)
A handle identifying a CRL that the application has temporarily cached with the Certificate Library module. The referenced CRL must contain the CRL record identified by CrlRecordIndex.
- CrlRecordIndex (input)
An index value identifying a particular revocation record in a cached CRL.
- NumberOfFields (output)
The number of OID-value pairs returned by this function.
- Fields (output)
A pointer to an array of CSSM_FIELD structures, describing the contents of the pre-selected CRL record using OID-value pairs. The field list is allocated by the service provider and must be deallocated by the application by callingCSSM_CL_FreeFields() .
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_IsCertInCachedCrl()
CL_CrlCache()
CL_CrlAbortCache()
CSSM_CL_FreeFields()
CL_CrlAbortCache
CSSM_RETURN CSSMCLI CL_CrlAbortCache (CSSM_CL_HANDLE CLHandle, CSSM_HANDLE CrlHandle)
This function terminates a CRL cache handle created and returned by the functionCSSM_CL_CrlCache() . The Certificate Library module releases all cache space and state information associated with the cached CRL.
- CLHandle (input)
The handle that describes the certificate library module used to perform this function.
- CrlHandle (input)
The handle that identifies the cached CRL.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_CrlDescribeFormat
CSSM_RETURN CSSMCLI CL_CrlDescribeFormat (CSSM_CL_HANDLE CLHandle, uint32 *NumberOfOids, CSSM_OID_PTR *OidList)
This function returns a list of the CSSM_OID values this certificate library module uses to name and reference fields of a CRL. Multiple CSSM_OID values can correspond to a single field. These OIDs can be provided as input toCL_CrlGetFirstFieldValue() to retrieve field values from the CRL. The OID also implies the data format of the returned value. When multiple OIDs name the same field of a CRL, those OIDs have a different return data formats associated with them.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- NumberOfOids (output)
The length of the output array.
- OidList (output)
A pointer to the array of CSSM_OIDs which represent the supported CRL format. The OID list is allocated by the service provider and must be de-allocated by the application.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
CL_PassThrough
CSSM_RETURN CSSMCLI CL_PassThrough (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, uint32 PassThroughId, const void *InputParams, void **OutputParams)
This function allows applications to call certificate library module-specific operations. Such operations may include queries or services that are specific to the domain represented by the CL module.
- CLHandle (input)
The handle that describes the add-in certificate library module used to perform this function.
- CCHandle (input/optional)
The handle that describes the context of the cryptographic operation.
- PassThroughId (input)
An identifier assigned by the CL module to indicate the function to perform.
- InputParams (input/optional)
A pointer to a module implementation-specific structure containing parameters to be interpreted in a function-specific manner by the requested CL module.
- OutputParams (output/optional)
A pointer to a module, implementation-specific structure containing the output data. The service provider allocates the memory for the structure and sub-structures. The application should free the memory for the structure and sub-structures.
A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition.
See the corresponding function call definition in Part 2 of this document.
Contents | Next section | Index |