Common Data Security Architecture (CDSA) White Paper

Certificate Library Services (CL) API

Serial number of the revoked certificate

Date on which the revocation occurred

Number of extensions

Pointers to extensions, if present

The certificate library manages the translation from the certificate to be revoked to its representation in the CRL.

The contents of the CRL can be queried for its revocation records, certificates, or individual CRL fields.Field management APIs allow you to set or get CRL fields, or to add or remove certificates from the certificate revocation list.

The entire CRL can be signed or verified, to ensure the integrity of its contents as it is passed between systems. Certificates can be revoked or unrevoked by adding or removing them from the CRL at any time before the CRL is signed.

Each time a CRL is changed, it must be signed to maintain its validity.

Interaction between Certificate Library and Application

Making the CL available to an application requires coordination of CSSM, CL module, and application.

An application determines the availability and capabilities (for example, certificate types and fields) of the CL module by querying the CSSM module information files.

The application then requests that CSSM attach the CL.

The CSSM returns a CL handle to the application that uniquely identifies the pairing of the application thread to the CL module instance. This handle is used by the application to identify the CL in future function calls that the CSSM passes from an application to the CL.

The application must allocate and deallocate all memory passed into or out of the CL module. It does so when the CSSM passes the handle identifying the application and module pairing to the CL.

CL APIs manipulate memory-based objects only. The CL is not responsible for ensuring the persistence of those objects (certificates, CRLs, and others); that responsibility lies with an application and/or a data library.

At attach time, the CSSM receives the certificate library’s function table, making the CL functions accessible to the CSSM. Any unsupported function has a NULL function pointer in the function table.

A pass-through function of the CLI allows access to services beyond those defined in the CSSM API, based on the data format of the certificates and CRLs manipulated by the library. The CSSM passes an operation identifier and input parameters from the application to the

36

Chapter 1

Page 36
Image 36
HP UX Security Products and Features Software manual Interaction between Certificate Library and Application