HP UX Security Products and Features Software Certiﬁcate Revocation List (CRL) and Operations

Common Data Security Architecture (CDSA) White Paper

Certiﬁcate Library Services (CL) API

Certiﬁcates may have various classiﬁcations, and increasingly, developers are wanting to include more information in a certiﬁcate. The CL module bundled as part of CDSA allows you to create extensions, which can contain additional data.

Each ﬁeld of a certiﬁcate format consists of a tag/value pair. The tag is is an object identiﬁer (OID) that references speciﬁc data types or data structures within the certiﬁcate or CRL and indicates what kind of information the ﬁeld contains. The value is the actual data corresponding to the ﬁeld. The OIDs are deﬁned in the header ﬁles oidscert.h and oidscrl.h, located in the /usr/include/cdsa/ directory. The OID structure is then passed to CSSM_CL_CertCreateTemplate(), to create the certiﬁcate.

Field management operations allow an application to retrieve ﬁelds from a certiﬁcate without knowledge of the certiﬁcate’s content or format. For example, CSSM_CL_CertGetFirstFieldValue() returns the value of a designated certiﬁcate ﬁeld.

In order for a certiﬁcate to be valid, it must be signed. To sign a certiﬁcate, pass the template (output of CSSM_CL_CertCreateTemplate()) to CSSM_CL_CertSign(). Once a certiﬁcate is signed, its ﬁelds cannot be modiﬁed. However, they can be queried for their values using the CSSM certiﬁcate interface (for example, CSSM_CL_CertGetFirstFieldValue).

The CL bundled with HP-UX as part of CDSA allows for self-signing; that is, the CA and recipient can be the same. The CL can also receive someone else’s certiﬁcate and verify it.

Before using a certiﬁcate, you must verify that it is still valid. (For example, is the signature valid? Are the dates still valid? Certiﬁcates expire.) To do so, use the API CSSM_CL_CertVerify().

Certiﬁcate Revocation List (CRL) and Operations

Certiﬁcates can be withdrawn from use or rendered invalid by placing them on a certiﬁcate revocation list (CRL). An application generates a CRL by using the API CSSM_CL_CrlCreateTemplate(). An X.509v2 CRL has the following structure:

•version

•signature algorithm

•Distinguished name ﬁeld of issuer

•Issue date of CRL

•Date next CRL will be issued

•list of revoked certiﬁcates

•numbers and sequences of extensions, if present

The revoked certiﬁcates are linked as a list with each node having the following ﬁelds:

Chapter 1