Manualshelf

Common Data Security Architecture (CDSA) White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
31323334353637383940
38 Chapter1
Common Data Security Architecture (CDSA) White Paper
Certificate Library Services (CL) API
The CL functions are accessible to the CSSM at attach time, when the CSSM receives the
certificate library’s function table. In the function table, any unsupported function has a
NULL function pointer.
Certificate operations fall into three general areas:
Cryptographic Operations, wherein a certificate is signed and its signature verified. The
certificate library determines the certificate fields to be signed or verified and manages the
interaction with a cryptographic service provider to perform the signing or verification.
Certificate Field Management, which involves adding fields to a certificate when it is created.
Once the certificate is signed, the fields cannot be modified. However, they can be queried for
their values using the CSSM certificate interface.
The fields of a certificate format consist of tag/value pairs. The tag is an object identifier
(OID) that references specific data types or data structures within the certificate or CRL.
Cryptographic operations and field management operations affect the entire CRL and
individual revocation records. The entire CRL can be signed or verified, to ensure the
integrity of its contents as the CRL is passed between systems. Individual revocation records
can be signed when they are revoked and verified when they are queried. Certificates can be
revoked or unrevoked by adding or removing them from the CRL at any time before the CRL
is signed. The contents of the CRL can be queried for its revocation records, certificates, or
individual CRL fields.
Certificate Operations This section summarizes the functions that comprise the certificate
operations in the CLI, as to operation and parameter definitions.
CL_CertSign ( )
Creates a digital signature for the subject certificate using the signer’s certificate. The
cryptographic context handle indicates the algorithm and parameters to be used for signing.
CL_CertVerify ( )
Verifies the signer certificate’s signature on the subject certificate. The cryptographic context
handle indicates the algorithm and parameters to be used for verification.
CL_CertCreateTemplate ( )
Creates a certificate template in the CL’s own certificate template format from the OID/value
pairs provided by the application. The CL module makes its supported OIDs available to the
application via the CertTemplate registered with CSSM and via the CL_CertDescribeFormat
function. The CL indicates which fields are required to create a certificate. A returned
certificate template is not valid until it has been signed.
CL_CertGetFirstFieldValue ( )