Manualshelf

Common Data Security Architecture (CDSA) White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
31323334353637383940
Chapter 1 35
Common Data Security Architecture (CDSA) White Paper
Certificate Library Services (CL) API
Certificates may have various classifications, and increasingly, developers are wanting to
include more information in a certificate. The CL module bundled as part of CDSA allows you
to create extensions, which can contain additional data.
Each field of a certificate format consists of a tag/value pair. The tag is is an object identifier
(OID) that references specific data types or data structures within the certificate or CRL and
indicates what kind of information the field contains. The value is the actual data
corresponding to the field. The OIDs are defined in the header files oidscert.h and oidscrl.h,
located in the /usr/include/cdsa/ directory. The OID structure is then passed to
CSSM_CL_CertCreateTemplate(), to create the certificate.
Field management operations allow an application to retrieve fields from a certificate without
knowledge of the certificate’s content or format. For example,
CSSM_CL_CertGetFirstFieldValue() returns the value of a designated certificate field.
In order for a certificate to be valid, it must be signed. To sign a certificate, pass the template
(output of CSSM_CL_CertCreateTemplate()) to CSSM_CL_CertSign(). Once a certificate is
signed, its fields cannot be modified. However, they can be queried for their values using the
CSSM certificate interface (for example, CSSM_CL_CertGetFirstFieldValue).
The CL bundled with HP-UX as part of CDSA allows for self-signing; that is, the CA and
recipient can be the same. The CL can also receive someone else’s certificate and verify it.
Before using a certificate, you must verify that it is still valid. (For example, is the signature
valid? Are the dates still valid? Certificates expire.) To do so, use the API
CSSM_CL_CertVerify().
Certificate Revocation List (CRL) and Operations
Certificates can be withdrawn from use or rendered invalid by placing them on a certificate
revocation list (CRL). An application generates a CRL by using the API
CSSM_CL_CrlCreateTemplate(). An X.509v2 CRL has the following structure:
version
signature algorithm
Distinguished name field of issuer
Issue date of CRL
Date next CRL will be issued
list of revoked certificates
numbers and sequences of extensions, if present
The revoked certificates are linked as a list with each node having the following fields: