Retrieve Certificate Information (QYCURTVCI, QycuRetrieveCertificateInfo) API



  Required Parameter Group:

1 Receiver variable Output Char(*)
2 Length of receiver variable Input Binary(4)
3 Format of certificate information Input Char(8)
4 Certificate store name Input Char(*)
5 Length of certificate store name Input Binary(4)
6 Format of certificate store name Input Char(8)
7 Certificate store password Input Char(*)
8 Length of certificate store password Input Binary(4)
9 CCSID of certificate store password Input Binary(4)
10 Selection control Input Char(*)
11 Error code I/O Char(*)

 Program:  QICSS/QYCURTVCI

 Default Public Authority:  *USE

 Threadsafe:  No


  Syntax for QycuRetrieveCertificateInfo:
 #include <qycucerti.h>

 void QycuRetrieveCertificateInfo
        (void           *Receiver_variable,
	  int           *Length_receiver_variable,
         char           *Format_certificate_info,
         char           *Certificate_store_name,
          int           *Length_certificate_store_name,
         char           *Format_certificate_store_name,
	 char           *Certificate_store_password,
	  int           *Length_certificate_store_password,
	  int           *CCSID_certificate_store_password,
         char           *Selection_control,
         void           *Error_code);
  Service Program: QICSS/QYCUCERTI

  Default Public Authority: *USE

  Threadsafe: No

The Retrieve Certificate Information (OPM, QYCURTVCI; ILE, QycuRetrieveCertificateInfo) API retrieves information from server or CA certificates. For example, you can retrieve information about certificates that are expiring within a given date range.

Authorities and Locks

Authority Required

The caller of this API must provide the password for the certificate store. In addition, the caller must have *ALLOBJ and *SECADM special authorities.

Locks
Object will be locked shared read.

Required Parameter Group

Note: Do not use quotation marks in the input parameters.
Receiver variable
OUTPUT; CHAR(*)

The variable that is to receive the certificate information.

Length of receiver variable
INPUT; BINARY(4)

The length of the receiver variable. If the length specified is larger than the actual size of the receiver variable, the results will not be predictable. The minimum length is 8 bytes.

Format of certificate information
INPUT; CHAR(8)

The content and format of the information that is returned for each certificate is specified here.

The possible format names are:

RTCI0100 Certificate labels
RTCI0200 Certificate labels and expiration information
RTCI0300 All certificate information

Certificate store name
INPUT; CHAR(*)

The certificate store from which you want to retrieve the list of certificates. The following values can be used for the certificate store name:

*SYSTEM The *SYSTEM certificate store.
*OBJECTSIGNING The *OBJECTSIGNING certificate store.
*SIGNATUREVERIFICATION The *SIGNATUREVERIFICATION certificate store.
Directory path and file name The fully qualified Integrated File System (IFS) directory path and file name of the certificate store. The directory path must start with a leading forward slash (/), for example, /mydirectory/mystore.kdb. If you are using format OBJN0100, the path and file name are assumed to be represented in the CCSID (coded character set identifier) currently in effect for the job. If the CCSID of the job is 65535, the path and file name are assumed to be represented in the default CCSID of the job.
Length of certificate store name
INPUT; Binary(4)

The length of the certificate store name. If the format specified is OBJN0200 (see below), this field must include the QLG path name structure length in addition to the length of the path name itself. If the format specified is OBJN0100 (see below), only the length of the path name itself is included.

Format of certificate store name
INPUT; CHAR(8)

The format of the certificate store path and file name parameter.

OBJN0100 The certificate store path and file name is a simple path name. If you are specifying *SYSTEM, *OBJECTSIGNING, or *SIGNATUREVERIFICATION for the certificate store name, use this format.
OBJN0200 The certificate path and file name is an LG-type path name.

Certificate store password
INPUT; CHAR(*)

The password for the certificate store.

Length of certificate store password
INPUT; Binary(4)

The length of the password of the certificate store.

CCSID of certificate store password
INPUT; Binary(4)

This parameter is the CCSID of the certificate store password. If the value is 0, the default CCSID of the job will be used.

Selection control
INPUT; CHAR(*)

The control information used to limit which certificates are returned. For the format of this structure, see Selection Control.

Error code
OUTPUT; CHAR(*)

The structure in which to return error information. For the format of the structure, see Error code parameter.



Receiver Formats

The following tables describe the order and format of the data returned in a receiver variable. For detailed descriptions of each field, see Receiver Field Descriptions.


RTCI0100 Format

Offset Type Field
Dec Hex
0 0 BINARY(4) Bytes returned
4 4 BINARY(4) Bytes available
8 8 BINARY(4) Offset to first certificate entry
12 C BINARY(4) Number of certificate entries returned
16 10 CHAR(*) Reserved
Certificate entry information. These fields are repeated for each certificate entry returned.
    BINARY(4) Displacement to next certificate entry
    BINARY(4) Displacement to certificate label
    BINARY(4) Length of certificate label
    CHAR(*) Certificate label


RTCI0200 Format

Offset Type Field
Dec Hex
0 0 BINARY(4) Bytes returned
4 4 BINARY(4) Bytes available
8 8 BINARY(4) Offset to first certificate entry
12 C BINARY(4) Number of certificate entries returned
16 10 CHAR(*) Reserved
Certificate entry information. These fields are repeated for each certificate entry returned.
    BINARY(4) Displacement to next certificate entry
    CHAR(14) Validity period end
    CHAR(2) Reserved
    BINARY(4) Displacement to certificate label
    BINARY(4) Length of certificate label
    BINARY(4) Displacement to subject's common name
    BINARY(4) Length of subject's common name
    ARRAY(*) of CHAR Certificate information fields


RTCI0300 Format

Offset Type Field
Dec Hex
0 0 BINARY(4) Bytes returned
4 4 BINARY(4) Bytes available
8 8 BINARY(4) Offset to first certificate entry
12 C BINARY(4) Number of certificate entries returned
16 10 CHAR(*) Reserved
Certificate entry information. These fields are repeated for each certificate entry returned.
    BINARY(4) Displacement to next certificate entry
    CHAR(1) Trusted status
    CHAR(1) Private key indicator
    CHAR(1) Key storage location
    CHAR(14) Validity period start
    CHAR(14) Validity period end
    CHAR(16) Key usage extensions
    CHAR(11) Reserved
    BINARY(4) Key size
    BINARY(4) Displacement to certificate label
    BINARY(4) Length of certificate label
    BINARY(4) Displacement to serial number
    BINARY(4) Length of serial number
    BINARY(4) Displacement to subject's common name
    BINARY(4) Length of subject's common name
    BINARY(4) Displacement to subject's country or region
    BINARY(4) Length of subject's country or region
    BINARY(4) Displacement to subject's state or province
    BINARY(4) Length of subject's state or province
    BINARY(4) Displacement to subject's locality
    BINARY(4) Length of subject's locality
    BINARY(4) Displacement to subject's organization
    BINARY(4) Length of subject's organization
    BINARY(4) Displacement to subject's organizational unit
    BINARY(4) Length of subject's organizational unit
    BINARY(4) Displacement to subject's postal code
    BINARY(4) Length of subject's postal code
    BINARY(4) Displacement to issuer's common name
    BINARY(4) Length of issuer's common name
    BINARY(4) Displacement to issuer's country or region
    BINARY(4) Length of issuer's country or region
    BINARY(4) Displacement to issuer's state or province
    BINARY(4) Length of issuer's state or province
    BINARY(4) Displacement to issuer's locality
    BINARY(4) Length of issuer's locality
    BINARY(4) Displacement to issuer's organization
    BINARY(4) Length of issuer's organization
    BINARY(4) Displacement to issuer's organizational unit
    BINARY(4) Length of issuer's organizational unit
    BINARY(4) Displacement to issuer's postal code
    BINARY(4) Length of issuer's postal code
    BINARY(4) Displacement to CRL location
    BINARY(4) Length of CRL location
    BINARY(4) Displacement to LDAP server name
    BINARY(4) Length of LDAP server name
    BINARY(4) Displacement to private key label
    BINARY(4) Length of private key label
    BINARY(4) Displacement to IP address
    BINARY(4) Length of IP address
    BINARY(4) Displacement to domain name
    BINARY(4) Length of domain name
    BINARY(4) Displacement to email address
    BINARY(4) Length of email address
    BINARY(4) Displacement to first cryptographic device
    BINARY(4) Number of cryptographic devices
    BINARY(4) Number of cryptographic devices returned
    ARRAY(*) of CHAR Certificate information fields
Cryptographic device information. These fields are repeated for each cryptographic device returned.
    BINARY(4) Displacement to next cryptographic device
    BINARY(4) Displacement to cryptographic device name
    BINARY(4) Length of cryptographic device name
    ARRAY(*) of CHAR Cryptographic device information fields (names)


Receiver Field Descriptions

Bytes available. The number of bytes of data available to be returned. All available data is returned if enough space is provided.

Bytes returned. The number of bytes of data returned.

Certificate label. The label for the certificate. The label is returned in the CCSID (coded character set identifier) currently in effect for the job. If the CCSID of the job is 65535, the label is returned in the default CCSID of the job. The certificate label is a null terminated string.

Displacement to certificate label. The displacement from the beginning of the entry to the field that indicates the certificate label.

Displacement to CRL location. The displacement from the beginning of the entry to the field that indicates the CRL location.

Displacement to cryptographic device name. The displacement from the beginning of the entry to the field that indicates the cryptographic device name.

Displacement to domain name. The displacement from the beginning of the entry to the field that indicates the domain name.

Displacement to email address. The displacement from the beginning of the entry to the field that indicates the email address.

Displacement to first cryptographic device. The displacement from the beginning of the entry to the field that indicates the first cryptographic device.

Displacement to IP address. The displacement from the beginning of the entry to the field that indicates the IP address.

Displacement to issuer's common name. The displacement from the beginning of the entry to the field that indicates the issuer's common name.

Displacement to issuer's country or region. The displacement from the beginning of the entry to the field that indicates the issuer's country or region.

Displacement to issuer's locality. The displacement from the beginning of the entry to the field that indicates the issuer's locality.

Displacement to issuer's organization. The displacement from the beginning of the entry to the field that indicates the issuer's organization.

Displacement to issuer's organizational unit. The displacement from the beginning of the entry to the field that indicates the issuer's organizational unit.

Displacement to issuer's postal code. The displacement from the beginning of the entry to the field that indicates the issuer's postal code.

Displacement to issuer's state or province. The displacement from the beginning of the entry to the field that indicates the issuer's state or province.

Displacement to LDAP server name. The displacement from the beginning of the entry to the field that indicates the LDAP server name.

Displacement to next certificate entry. The displacement from the beginning of this entry to the next entry.

Displacement to next cryptographic device. The displacement from the beginning of the current cryptographic device entry to the next entry.

Displacement to private key label. The displacement from the beginning of the entry to the field that indicates the private key label.

Displacement to serial number. The displacement from the beginning of the entry to the field that indicates the serial number.

Displacement to subject's common name. The displacement from the beginning of the entry to the field that indicates the subject's common name.

Displacement to subject's country or region. The displacement from the beginning of the entry to the field that indicates the subject's country or region.

Displacement to subject's locality. The displacement from the beginning of the entry to the field that indicates the subject's locality.

Displacement to subject's organization. The displacement from the beginning of the entry to the field that indicates the subject's organization.

Displacement to subject's organizational unit. The displacement from the beginning of the entry to the field that indicates the subject's organizational unit.

Displacement to subject's postal code. The displacement from the beginning of the entry to the field that indicates the subject's postal code.

Displacement to subject's state or province. The displacement from the beginning of the entry to the field that indicates the subject's state or province.

Key size. The size of the key in bytes.

Key storage location A single character that indicates where the key is stored.

Possible values:

0 The key is stored is software
1 The key is stored in hardware
2 The key is stored in hardware encryption

Key usage extensions The key usage extension values for the certificate. If the certificate has the key usage extension, the field is 1. If not, the field is 0.

This field contains the following fields:

DigitalSignature CHAR(1)

Whether the certificate has the digital signature extension.
NonRepudiation CHAR(1)

Whether the certificate has the nonrepudiation extension.
KeyEncipherment CHAR(1)

Whether the certificate has the key encipherment extension.
DataEncipherment CHAR(1)

Whether the certificate has the data encipherment extension.
KeyAgreement CHAR(1)

Whether the certificate has the key agreement extension.
KeyCertSign CHAR(1)

Whether the certificate has the key certificate signature extension.
CRLSign CHAR(1)

Whether the certificate has the CRL signature extension.
EncipherOnly CHAR(1)

Whether the certificate has the encipher only extension.
DecipherOnly CHAR(1)

Whether the certificate has the decipher only extension.
Reserved CHAR(7)

An ignored field.

Length of certificate label. The length of the field that contains the certificate label.

Length of CRL location. The length of the field that indicates the CRL location.

Length of cryptographic device name. The length of the field that indicates the cryptographic device name.

Length of domain name. The length of the field that indicates the domain name.

Length of email address. The length of the field that indicates the email address.

Length of IP address. The length of the field that indicates the IP address.

Length of issuer's common name. The length of the field that indicates the issuer's common name.

Length of issuer's country or region. The length of the field that indicates the issuer's country or region.

Length of issuer's locality. The length of the field that indicates the issuer's locality.

Length of issuer's organization. The length of the field that indicates the issuer's organization.

Length of issuer's organizational unit. The length of the field that indicates the issuer's organizational unit.

Length of issuer's postal code. The length of the field that indicates the issuer's postal code.

Length of issuer's state or province. The length of the field that indicates the issuer's state or province.

Length of LDAP server name. The length of the field that indicates the LDAP server name.

Length of private key label. The length of the field that indicates the private key label. Will be 0 if the key storage location is 0.

Length of serial number. The length of the field that indicates the serial number.

Length of subject's common name. The length of the field that indicates the subject's common name.

Length of subject's country or region. The length of the field that indicates the subject's country or region.

Length of subject's locality. The length of the field that indicates the subject's locality.

Length of subject's organization. The length of the field that indicates the subject's organization.

Length of subject's organizational unit. The length of the field that indicates the subject's organizational unit.

Length of subject's postal code. The length of the field that indicates the subject's postal code.

Length of subject's state or province. The length of the field that indicates the subject's state or province.

Number of certificate entries returned. The number of certificate entries returned. If the receiver variable is not large enough to hold all of the information, this number contains only the number of certificate entries actually returned.

Number of cryptographic devices. The number of cryptographic devices returned.

Offset to first certificate entry. The offset to the first certificate entry returned. The offset is from the beginning of the structure. If no entries are returned, the offset is set to zero.

Private key indicator One character indicator that indicates if the certificate has a private key.

Possible values:

0 The certificate does not have a private key.
1 The certificate does have a private key.

Trusted status One character indicator that indicates if the certificate is trusted.

Possible values:

0 The certificate is not trusted.
1 The certificate is trusted.

Reserved. An ignored field.

Validity period start. The field that indicates the beginning date of the validity period. The first 8 characters consist of 4 characters for the year, 2 characters for the month, and 2 characters for the day. The last 6 characters consist of 2 characters for the hours, 2 characters for the minutes, and 2 characters for the seconds.

Validity period end. The field that indicates the ending date of the validity period. The first 8 characters consist of 4 characters for the year, 2 characters for the month, and 2 characters for the day. The last 6 characters consist of 2 characters for the hours, 2 characters for the minutes, and 2 characters for the seconds.

Selection Control

The criteria is used to select or match certificates based on specified information.

This parameter is useful to reduce the total number of certificates that are returned in the list. The list of certificates is generated with only the specific selections that are of interest.

The following shows the format of the selection control parameter. For detailed descriptions of the fields in the table, see Selection Control Field Descriptions.

Offset Type Field
Dec Hex
0 0 BINARY(4) Length of selection control
4 4 BINARY(4) Number of selection pairs
8 8 ARRAY(*) of BINARY(4) Offsets to selection pairs
These fields repeat for each selection pair specified BINARY(4) Length of selection pair
CHAR(20) Selection name
ARRAY(*) of CHAR Selection value


Selection Control Field Descriptions

Length of selection control. The total number of bytes for the length itself, the bytes for the number of selection pairs, and the bytes for the array of displacements. It also includes the sum of the lengths of the selection pairs. The length of the selection control will vary due to the array of displacements and the selection pairs. A length of zero indicates that no selection control pairs are specified.

Number of selection pairs. The number of separate selection pairs in the generated list of certificates. All of the selection pairs must be satisfied for each certificate that is returned. If the number of selection pairs is 0, then all certificates are returned. The maximum allowed number of selection pairs is defined as QYCU_MAX_SEL_NAMES.

Length of selection pair. The length of the selection name and selection value fields and the bytes for the length itself. The length of the selection pair will vary due to the selection value. Valid values that are used are 24 bytes or larger.

Offsets to selection pairs. An array of offsets to selection pairs from the beginning of the selection control.

Selection name. The selection that is used to limit which certificates are returned. Selections indicate which fields of the certificate are to be examined for matching selection values. Selection names cannot be specified more than once.

Valid selection names are:

EXPIRATIONDAYS CHAR(4) Certificates that are expired or will expire in the specified number of days. This value will be the number of days in character format (zoned decimal). The valid range is from 1 to 365 days.
CERTIFICATETYPE CHAR(1) This may be server or CA.

Possible values:

0 Server certificate
1 CA certificate
CERTIFICATELABEL CHAR (*) Certificate whose label match the label specified. When choosing this selection criteria, the other selection criteria are not allowed.

Error Messages

Message ID Error Message Text
CPFA0AA E Error occurred while attemption to obtain space.
CPFA0C1 E CCSID &1 not valid.
CPFA049 E Certificate store does not exist.
CPFA09C E User not authorized to certificate store.
CPFB001 E One or more input parameters is NULL or missing.
CPFB003 E Certificate store password is not valid.
CPFB006 E An error occurred. The error code is &1.
CPF222E E &1 special authority is required.
CPF227E E Selection control is not valid.
CPF3C21 E Format name &1 is not valid.
CPF3C24 E Length of the receiver variable is not valid.
CPF3CF1 E Error code parameter not valid.
CPF3CF2 E Error(s) occurred during running of &1 API.
CPF3C36 E Number of parameters, &1, entered for this API was not valid.
CPF3C90 E Literal value cannot be changed.


API introduced: V6R1

[ Back to top | Security APIs | APIs by category ]