Common Data Security Architecture (CDSA) White Paper

36 Chapter1
Common Data Security Architecture (CDSA) White Paper
Certificate Library Services (CL) API
Serial number of the revoked certificate
Date on which the revocation occurred
Number of extensions
Pointers to extensions, if present
The certificate library manages the translation from the certificate to be revoked to its
representation in the CRL.
The contents of the CRL can be queried for its revocation records, certificates, or individual
CRL fields.Field management APIs allow you to set or get CRL fields, or to add or remove
certificates from the certificate revocation list.
The entire CRL can be signed or verified, to ensure the integrity of its contents as it is passed
between systems. Certificates can be revoked or unrevoked by adding or removing them from
the CRL at any time before the CRL is signed.
Each time a CRL is changed, it must be signed to maintain its validity.
Interaction between Certificate Library and Application
Making the CL available to an application requires coordination of CSSM, CL module, and
application.
An application determines the availability and capabilities (for example, certificate types and
fields) of the CL module by querying the CSSM module information files.
The application then requests that CSSM attach the CL.
The CSSM returns a CL handle to the application that uniquely identifies the pairing of the
application thread to the CL module instance. This handle is used by the application to
identify the CL in future function calls that the CSSM passes from an application to the CL.
The application must allocate and deallocate all memory passed into or out of the CL module.
It does so when the CSSM passes the handle identifying the application and module pairing
to the CL.
CL APIs manipulate memory-based objects only. The CL is not responsible for ensuring the
persistence of those objects (certificates, CRLs, and others); that responsibility lies with an
application and/or a data library.
At attach time, the CSSM receives the certificate library’s function table, making the CL
functions accessible to the CSSM. Any unsupported function has a NULL function pointer in
the function table.
A pass-through function of the CLI allows access to services beyond those defined in the
CSSM API, based on the data format of the certificates and CRLs manipulated by the library.
The CSSM passes an operation identifier and input parameters from the application to the