Certificate Management APIs

Table 1 lists the updates to the System SSL application interface for SSL/TLS APIs.

Table 1. Summary of changes to z/OS Certificate Management APIs
API	Release	Description	Reason for change
gsk_construct_certificate()	z/OS V2R1	Changed: Added support for generating signed DSA certificates with key size of 2048-bits and signed certificates with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_construct_certificate()	z/OS V1R13	Changed: Added support for generating signed ECDSA certificates.	ECDSA certificate support
gsk_construct_renewal_certificate()	z/OS V2R1	Changed: Added support for generating certificate requests with DSA key size of 2048-bits and certificate requests that are signed with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_construct_self_signed_certificate()	z/OS V2R1	Changed: Added support for generating self-signed DSA certificates with key size of 2048-bits and DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_construct_self_signed_certificate()	z/OS V1R13	Changed: Added support for generating self-signed ECDSA certificates.	ECDSA certificate support
gsk_construct_signed_certificate()	z/OS V2R1	Changed: Added support for signing certificate requests using DSA 2048-bit keys and DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_certification_request()	z/OS V2R1	Changed: Added support for generating certificate requests with DSA key size of 2048-bits and certificate requests that are signed with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_certification_request()	z/OS V1R13	Changed: Added support for generating ECDSA certificate requests.	ECDSA certificate support
gsk_create_database_renewal_request()	z/OS V2R1	Changed: Added support for generating certificate renewal requests with DSA key size of 2048-bits and certificate requests that are signed with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_database_signed_certificate()	z/OS V2R1	Changed: Added support for signing certificate requests using DSA 2048-bit keys and certificate requests that are signed with DSA SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_database_signed_certificate()	z/OS V1R13	Changed: Added support for creating a signed ECDSA certificate.	ECDSA certificate support
gsk_create_renewal_request()	z/OS V2R1	Changed: Added support for generating certificate requests with DSA key size of 2048-bits and certificate requests that are signed with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_revocation_source()	z/OS V2R2	New: Create an OCSP, HTTP CRL, or an extended LDAP CRL revocation source.	Certificate revocation enhancement
gsk_create_self_signed_certificate()	z/OS V2R1	Changed: Added support for generating self-signed DSA certificates with key size of 2048-bits and DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_self_signed_certificate()	z/OS V1R13	Changed: Added support for generating self-signed ECDSA certificates.	ECDSA certificate support
gsk_create_signed_certificate_record()	z/OS V2R1	Changed: Added support for generating signed DSA certificates with key size of 2048-bits and DSA certificates with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_signed_certificate_set()	z/OS V2R1	Changed: Added support for generating signed DSA certificates with key size of 2048-bits and signed certificates with DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_create_signed_certificate_set()	z/OS V1R13	Changed: Added support for generating signed ECDSA certificates.	ECDSA certificate support
gsk_create_signed_crl_record()	z/OS V2R1	Changed: Added support for generating a signed CRL using DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_decode_certificate_extension()	z/OS V2R2	Changed: Added support for ocspNoCheck extension.	Certificate revocation enhancement
gsk_decode_certificate_extension()	z/OS V2R1	Changed: Added support for decoding HostIDMapping extension.	Enhanced x.509 certificate support
gsk_decode_issuer_and_serial_number()	z/OS V2R2	New: Decodes a PKCS #7 IssuerAndSerialNumber.	PKCS #7 support
gsk_decode_signer_identifier()	z/OS V2R2	New: Decodes a PKCS #7 signer identifier.	PKCS #7 support
gsk_encode_certificate_extension()	z/OS V2R2	Changed: Added support for ocspNoCheck extension.	Certificate revocation enhancement
gsk_encode_certificate_extension()	z/OS V2R1	Changed: Added support for encoding HostIDMapping extension.	Enhanced x.509 certificate support
gsk_encode_ec_parameters()	z/OS V1R13	New: Encodes the EC domain parameters for an ECC key.	ECDSA certificate support
gsk_encode_export_key()	z/OS V2R1	Changed: Added support for exporting RSA and ECDSA certificates with their private keys when the private keys are stored as extractable secure private keys in the TKDS.	Support for secure private keys in a PKCS #11 token
gsk_encode_issuer_and_serial_number()	z/OS V2R2	New: Encodes a PKCS #7 IssuerAndSerialNumber.	PKCS #7 support
gsk_encode_signer_identifier()	z/OS V2R2	New: Encodes a PKCS #7 SignerIdentifier from a signer certificate.	PKCS #7 support
gsk_export_key()	z/OS V2R1	Changed: Added support for exporting RSA and ECDSA certificates with their private keys when the private keys are stored as extractable secure private keys in the TKDS.	Support for secure private keys in a PKCS #11 token
gsk_free_issuer_and_serial_number()	z/OS V2R2	New: Releases storage allocated for PKCS #7 issuer and serial number information.	PKCS #7 support
gsk_free_oid()	z/OS V2R2	New: Releases storage allocated for OID information.	PKCS #7 support
gsk_free_revocation_source()	z/OS V2R2	New: Frees the revocation source initialized and allocated by gsk_create_revocation_source().	Certificate revocation enhancement
gsk_free_signer_identifier()	z/OS V2R2	New: Releases storage allocated for PKCS #7 signer identifier information.	PKCS #7 support
gsk_generate_key_pair()	z/OS V2R1	Changed: Added support for generation of DSA 2048-bit key pairs.	Enhanced DSA support
gsk_generate_key_pair()	z/OS V1R13	Changed: Added support for generating ECC key pairs.	Base elliptic curve support
gsk_generate_key_parameters()	z/OS V1R13	Changed: Added support for generating ECC key parameters.	Base elliptic curve support
gsk_get_cms_vector()	z/OS V2R2	Changed: Added GSKCMS_API_LVL10.	Certificate revocation enhancement
	z/OS V2R1	Changed: Added GSKCMS_API_LVL9.	Release update
	z/OS V1R13	Changed: Added GSKCMS_API_LVL8.	Release update
gsk_get_content_type_and_cms_version()	z/OS V2R2	New: Extracts the PKCS #7 content_info_type, content_info_oid, and cms_version from the pkcs_content_info structure.	PKCS #7 support
gsk_get_directory_certificates()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
gsk_get_directory_crls()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
gsk_get_directory_enum()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
gsk_get_directory_numeric_value()	z/OS V2R2	New: Gets an integer value from an LDAP directory.	Certificate revocation enhancement
gsk_make_enveloped_data_content()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_enveloped_data_content()	z/OS V2R1	Changed: Added support for encrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_make_enveloped_data_content_ extended()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_enveloped_data_content_ extended()	z/OS V2R1	Changed: Added support for encrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_make_enveloped_data_msg()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_enveloped_data_msg()	z/OS V2R1	Changed: Added support for encrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_make_enveloped_data_msg_ extended()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_enveloped_data_msg_ extended()	z/OS V2R1	Changed: Added support for encrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_make_enveloped_private_key_msg()	z/OS V2R1	New: Create a PKCS#7 EnvelopedData message containing an RSA or ECDSA private key. Private key is a secure key stored in a PKCS #11 token.	Enhanced PKCS#7 support
gsk_make_signed_data_content()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_signed_data_content()	z/OS V2R1	Changed: Added support for signing using digital signatures DSA with SHA-224 and SHA-256.	Enhanced DSA support
gsk_make_signed_data_content_ extended()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_signed_data_content_ extended()	z/OS V2R1	Changed: Added support for signing using digital signatures DSA with SHA-224 and SHA-256.	Enhanced DSA support
gsk_make_signed_data_msg()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_signed_data_msg()	z/OS V2R1	Changed: Added support for signing using digital signatures DSA with SHA-224 and SHA-256.	Enhanced DSA support
gsk_make_signed_data_msg_ extended()	z/OS V2R2	Changed: Updated the version parameter.	PKCS #7 support
gsk_make_signed_data_msg_ extended()	z/OS V2R1	Changed: Added support for signing using digital signatures DSA with SHA-224 and SHA-256.	Enhanced DSA support
gsk_modify_pkcs11_key_label()	z/OS V2R1	New: Returns a gsk_buffer containing a TKDS key token label with either an "=" added or removed from the first position.	Support for secure private keys in a PKCS #11 token
gsk_open_directory()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
gsk_perform_kat()	z/OS V2R2	Changed: Enhanced to run TLS V1.0, TLS V1.1, and TLS V1.2 key derivation function known answer tests.	FIPS 140-2 support
gsk_perform_kat()	z/OS V1R13	Changed: Enhanced to run HMAC-SHA-256 and HMAC-SHA-384 known answer tests.	FIPS 140-2 support
gsk_query_crypto_level()	z/OS V2R1	Changed: Updated SSL run time level.	Release update
gsk_query_crypto_level()	z/OS V1R13	Changed: Updated SSL run time level.	Release update
gsk_read_enveloped_data_content()	z/OS V2R1	Changed: Added support for decrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_read_enveloped_data_content_ extended()	z/OS V2R1	Changed: Added support for decrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_read_enveloped_data_msg()	z/OS V2R1	Changed: Added support for decrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_read_enveloped_data_msg_ extended()	z/OS V2R1	Changed: Added support for decrypting the message content using AES CBC (128-bit and 256-bit).	Enhanced PKCS#7 support
gsk_read_signed_data_content()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_read_signed_data_content_ extended()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_read_signed_data_msg()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_read_signed_data_msg_ extended()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_set_directory_enum()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
gsk_set_directory_numeric_value()	z/OS V2R2	New: Sets an integer value for an LDAP directory.	Certificate revocation enhancement
gsk_sign_certificate()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_sign_crl()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_sign_data()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_validate_certificate()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
gsk_validate_certificate()	z/OS V1R13	Changed: Added support for gskdb_source_crl_callback.	Enhanced certificate support
gsk_validate_certificate_mode()	z/OS V2R2	Changed: Added support for timely revocation checking and revocation flexibility.	Certificate revocation enhancement
	z/OS V2R1	Changed: Added support for validating certificates and certificate chain according to RFC 5280.	Enhanced x.509 certificate support
	z/OS V1R13	Changed: Added support for gskdb_source_crl_callback.	Enhanced certificate support
gsk_validate_extended_key_usage()	z/OS V2R2	New: Validate a certificate's extended key usage extension against the supplied extended key usage list.	PKCS #7 support
gsk_verify_certificate_signature()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_verify_crl_signature()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support
gsk_verify_data_signature()	z/OS V2R1	Changed: Added support for verifying DSA with SHA-224 or SHA-256 digital signatures.	Enhanced DSA support