z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


CSSM_TP_PassThrough

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Purpose

This function lets applications call TP module-specific operations that have been exported. For PKITP, the module-specific operations support certificate chain validation, based on the CA and SITE certificates that are contained within a key ring.

Format

 void * CSSMAPI CSSM_TP_PassThrough        
       (CSSM_TP_HANDLE TPHandle, 
       CSSM_CL_HANDLE CLHandle,  
       CSSM_DL_HANDLE DLHandle,  
       CSSM_DB_HANDLE DBHandle,  
       CSSM_CC_HANDLE CCHandle,  
       uint32 PassThroughId,     
       const void *InputParams)

Parameters

TPHandle
Handle to this Trust Policy module (PKITP).
CLHandle
Not used. PKITP ignores this.
DLHandle
Not used. PKITP ignores this.
DBHandle
Not used. PKITP ignores this.
CCHandle
Not used. PKITP ignores this.
PassThroughId
Used to indicate the pass-through service requested. Two services are provided:
  • Service 1 CertGroupVerify (TP_VERIFY_PASSTHROUGH)
  • Service 2 FreeEvidence (TP_FREE_EVIDENCE_PASSTHROUGH)
InputParams
Pointer to the API-caller-provided input parameter structure. The same structure is used for both pass-through functions. It is declared in pkitp.h as follows:
typedef struct tp_verify_extra {

   /* similar parameters as TP_CertGroupVerify */
   CSSM_CL_HANDLE CLHandle;
   CSSM_DL_DB_LIST_PTR DBList;
   unsigned int reserved; //@L1C
   CSSM_TP_STOP_ON VerificationAbortOn;
   CSSM_CERTGROUP_PTR CertToBeVerified;

   /* extra parameters: input */
   TP_INITIALPOLICY_PTR InitialPolicy;
   time_t CurrentTime;
   time_t ValidationTime;

   /* extra parameters: output */
   CSSM_BOOL result;
   uint32 DLStatusCode;                   // Status code from DL failures
   uint32 DLindex;                        // Index (from 0) into DBList
   TP_EVIDENCE_PTR Evidence;

} TP_VERIFY_EXTRA, *TP_VERIFY_EXTRA_PTR;

The DB list

This DBList contains one or more handles to open DB stores. The last entry in this list must be a handle to an OCEPDL DB (a real or virtual SAF key ring). The key ring is used to declare the list of trusted CA and SITE certificates. Like the OCEP Trust Policy, certificate chains to verify must originate from one of these trusted CAs (anchors) or the end-entity certificate must be one of the SITE certificates. Also like the OCEP Trust Policy, if the security product (SAF) marks any certificate in the candidate chain NOTRUST, the certificate chain fails validation.

The other entries in the list are used for LDAPDL DB stores. PKITP runs through these to locate CRLs and intermediate CA certificates. For each item PKITP requests, the LDAPDLs are queried in the order in which they appear in the list. The search stops the first time an LDAPDL returns an item or when the OCEPDL is reached. No query is made to the OCEPDL to locate CRLs or intermediate CA certificates.

The initial policy

The following optional, caller-provided and initialized structure defines InitialPolicy. PKITP uses the default values if the structure is not provided:
typedef struct tp_initialpolicy {

   /* initial-policy-set */
   uint32 NumberofPolicyIdentifiers; // number of application specific
                                     // policy OIDs (defaults to 0)
   CSSM_OID_PTR PolicyIdentifiers;   // Address of array of policy OIDs
                                     // or 0
   uint32 useCRLs;                   // 0 - no CRL processing
                                     // 1 - Check CRLs only if current CRLs found
                                     // 2 - Strong CRL checking (default)
   /* initial-explicit-policy indicator */
   CSSM_BOOL initialExplicitPolicy; // If true, indicates PKITP should
                                    // consider policy set critical
                                    // defaults to false
   /* initial-policy-mapping-inhibit indicator */
   CSSM_BOOL initialPolicyMappingInhibit; // not used, ignored

} TP_INITIALPOLICY, *TP_INITIALPOLICY_PTR;

The evidence

The following optional, caller-provided structure defines the evidence. This structure is used to return information relative to the validation decision PKITP makes. The caller must free the data areas returned. (The FreeEvidence pass-through function is provided for this.)
typedef struct tp_evidence {

   /* valid certification path if validation succeeds */
   CSSM_CERTGROUP_PTR CompleteCertGroup;

   /* relevant CRL if validation fails */
   CSSM_DATA_PTR CRL;

   /* relevant certificate if validation fails */
   CSSM_DATA_PTR Cert;

   /* authority-constrained-policy */
   CSSM_BOOL authAnyPolicy;
   uint32 NumberofAuthCertPolicyIdentifiers;
   CSSM_OID_PTR AuthCertPolicyIdentifiers;

   /* list of policy mappings that occurred */
   uint32 NumberOfMappedPolicies;
   TP_CSSM_OID_PAIR_PTR mappedPolicies;

} TP_EVIDENCE, *TP_EVIDENCE_PTR;

Error codes

Table 1 lists the error codes that are unique to PKI Services OCSF Trust Policy (PKITP).
Table 1. PKI Services OCSF Trust Policy (PKITP) error codes
Decimal value Error description
8001 Certificate encoding error. Incorrect CertificatePolicies extension.
8002 Certificate policies violation.
8003 Incorrect certificate distinguished name chaining.
8004 Certificate encoding error. Subject name missing.
8006 Incorrect certificate BasicConstraints extension - cA flag off in signing certificate.
8008 Incorrect certificate KeyUsage extension - keyCertSign flag off in signing certificate.
8010 Unsupported AltName form in certificate.
8013 Certificate or CRL encoding error. Signature algorithm mismatch.
8014 Certificate encoding error. Incorrect version.
8015 CRL encoding error. Incorrect version.
8016 Unsupported critical extension in certificate.
8017 Unsupported critical extension in CRL.
8018 Unsupported critical entry extension in CRL.
8019 Certificate encoding error. Duplicate extension.
8020 CRL encoding error. Duplicate extension.
8021 Certificate signature failed verification.
8022 CRL signature failed verification.
8023 Incorrect date range in certificate or CRL. NotAfter earlier than NotBefore.
8024 Certificate's date range is in the future.
8025 Certificate has expired.
8026 CRL's date range is in the future.
8027 CRL has expired.
8028 DBList incorrect, no LDAPDL DBs or non-LDAPDL specified.
8029 CRL not found.
8030 Certificate is revoked.
8031 Unable to build certificate chain.
8033 Certificate not trusted.
8034 Incorrect CRLDistributionPoints extension in certificate.
8501 Unexpected status code returned from accessing LDAPDL.
8502 Unexpected status code returned from accessing OCEPDL.
8503 DBList incorrect, no OCEPDL DB or DB empty.
Parent topic: Trust Policy API

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014