Common Data Security Architecture (CDSA) White Paper
Certificate Library Services (CL) API
The CL functions are accessible to the CSSM at attach time, when the CSSM receives the certificate library’s function table. In the function table, any unsupported function has a NULL function pointer.
Certificate operations fall into three general areas:
Cryptographic Operations, wherein a certificate is signed and its signature verified. The certificate library determines the certificate fields to be signed or verified and manages the interaction with a cryptographic service provider to perform the signing or verification.
Certificate Field Management, which involves adding fields to a certificate when it is created. Once the certificate is signed, the fields cannot be modified. However, they can be queried for their values using the CSSM certificate interface.
The fields of a certificate format consist of tag/value pairs. The tag is an object identifier (OID) that references specific data types or data structures within the certificate or CRL.
Cryptographic operations and field management operations affect the entire CRL and individual revocation records. The entire CRL can be signed or verified, to ensure the integrity of its contents as the CRL is passed between systems. Individual revocation records can be signed when they are revoked and verified when they are queried. Certificates can be revoked or unrevoked by adding or removing them from the CRL at any time before the CRL is signed. The contents of the CRL can be queried for its revocation records, certificates, or individual CRL fields.
Certificate Operations This section summarizes the functions that comprise the certificate operations in the CLI, as to operation and parameter definitions.
CL_CertSign ( )
Creates a digital signature for the subject certificate using the signer’s certificate. The cryptographic context handle indicates the algorithm and parameters to be used for signing.
CL_CertVerify ( )
Verifies the signer certificate’s signature on the subject certificate. The cryptographic context handle indicates the algorithm and parameters to be used for verification.
CL_CertCreateTemplate ( )
Creates a certificate template in the CL’s own certificate template format from the OID/value pairs provided by the application. The CL module makes its supported OIDs available to the application via the CertTemplate registered with CSSM and via the CL_CertDescribeFormat function. The CL indicates which fields are required to create a certificate. A returned certificate template is not valid until it has been signed.
CL_CertGetFirstFieldValue ( )
38 | Chapter 1 |