Common Data Security Architecture (CDSA) White Paper
Certificate Library Services (CL) API
•Serial number of the revoked certificate
•Date on which the revocation occurred
•Number of extensions
•Pointers to extensions, if present
The certificate library manages the translation from the certificate to be revoked to its representation in the CRL.
The contents of the CRL can be queried for its revocation records, certificates, or individual CRL fields.Field management APIs allow you to set or get CRL fields, or to add or remove certificates from the certificate revocation list.
The entire CRL can be signed or verified, to ensure the integrity of its contents as it is passed between systems. Certificates can be revoked or unrevoked by adding or removing them from the CRL at any time before the CRL is signed.
Each time a CRL is changed, it must be signed to maintain its validity.
Interaction between Certificate Library and ApplicationMaking the CL available to an application requires coordination of CSSM, CL module, and application.
An application determines the availability and capabilities (for example, certificate types and fields) of the CL module by querying the CSSM module information files.
The application then requests that CSSM attach the CL.
The CSSM returns a CL handle to the application that uniquely identifies the pairing of the application thread to the CL module instance. This handle is used by the application to identify the CL in future function calls that the CSSM passes from an application to the CL.
The application must allocate and deallocate all memory passed into or out of the CL module. It does so when the CSSM passes the handle identifying the application and module pairing to the CL.
CL APIs manipulate
At attach time, the CSSM receives the certificate library’s function table, making the CL functions accessible to the CSSM. Any unsupported function has a NULL function pointer in the function table.
A
36 | Chapter 1 |