Creates a signed certificate revocation list.
Format
#include <gskcms.h>
gsk_status gsk_create_signed_crl_record (
gsk_handle db_handle,
const char * label,
x509_algorithm_type signature_algorithm,
gsk_int32 crl_number,
int num_days,
x509_revoked_certificates * revoked_certificates,
x509_extensions * extensions,
gsk_buffer * signed_crl)
Parameters
- db_handle
- Specifies the database handle returned by the gsk_create_database() routine,
the gsk_open_database() routine, or the gsk_open_keyring() routine.
This must be a key database and not a request database.
- label
- Specifies the label for the certificate to be used to sign the
certificate revocation list. The label is specified in the local
code page.
- signature_algorithm
- Specifies the signature algorithm to be used for the crl signature.
- crl_number
- Specifies the CRL number. Each CRL is numbered with each successive
revocation list having a larger CRL number than all previous revocation
lists.
- num_days
- Specifies the number of days until the next CRL will be issued
and is specified as a value between 1 and 9999 (the maximum of 9999
will be used if a larger value is specified and the minimum of
1 will be used if a smaller value is specified).
- revoked_certificates
- Specifies the revoked list of certificates to be included in the
CRL. This list consists of the certificate serial numbers and not
the actual certificates.
- extensions
- Specifies the CRL extensions for the new CRL. Specify NULL for
this parameter if no CRL extensions are supplied.
- signed_crl
- Returns the signed certificate revocation list in Base64 format.
The Base64 stream will be in the local code page. The application
should call the gsk_free_buffer() routine to release the stream
when it is no longer needed.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the
gskcms.h include file. These are some
possible errors:
- [CMSERR_ALG_NOT_SUPPORTED]
- The signature algorithm is not supported.
- [CMSERR_BAD_EC_PARAMS]
- Elliptic Curve parameters are not valid.
- [CMSERR_BAD_HANDLE]
- The database handle is not valid.
- [CMSERR_BAD_KEY_SIZE]
- The key size is not valid.
- [CMSERR_BAD_LABEL]
- The record label is not valid.
- [CMSERR_BAD_SIGNATURE]
- The request signature is not correct.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_EXPIRED]
- The signer certificate is expired.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_INCORRECT_DBTYPE]
- The database type does not support certificates.
- [CMSERR_INCORRECT_KEY_USAGE]
- The signer certificate key usage does not allow signing a CRL.
- [CMSERR_ISSUER_NOT_CA]
- The signer certificate is not for a certification authority.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_NO_PRIVATE_KEY]
- The signer certificate does not have a private key.
- [CMSERR_RECORD_NOT_FOUND]
- The signer certificate is not found in the key database.
Usage
The gsk_create_signed_crl_record() routine
will generate an X.509 certificate revocation list (CRL) as described
in RFC 5280: Internet
X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile. The new CRL will be signed using the
certificate specified by the label parameter and the signature
algorithm specified by the signature_algorithm parameter.
The
following signature algorithms are supported:
- x509_alg_md2WithRsaEncryption
- RSA encryption with MD2 digest - {1.2.840.113549.1.1.2}
- x509_alg_md5WithRsaEncryption
- RSA encryption with MD5 digest - {1.2.840.113549.1.1.4}
- x509_alg_sha1WithRsaEncryption
- RSA encryption with SHA-1 digest - {1.2.840.113549.1.1.5}
- x509_alg_sha224WithRsaEncryption
- RSA encryption with SHA-224 digest - {1.2.840.113549.1.1.14}
- x509_alg_sha256WithRsaEncryption
- RSA encryption with SHA-256 digest - {1.2.840.113549.1.1.11}
- x509_alg_sha384WithRsaEncryption
- RSA encryption with SHA-384 digest - {1.2.840.113549.1.1.12}
- x509_alg_sha512WithRsaEncryption
- RSA encryption with SHA-512 digest - {1.2.840.113549.1.1.13}
- x509_alg_dsaWithSha1
- Digital Signature Standard with SHA-1 digest - {1.2.840.10040.4.3}
- x509_alg_dsaWithSha224
- Digital Signature Standard with SHA-224 digest - {2.16.840.1.101.3.4.3.1}
- x509_alg_dsaWithSha256
- Digital Signature Standard with SHA-256 digest - {2.16.840.1.101.3.4.3.2}
- x509_alg_ecdsaWithSha1
- Elliptic Curve Digital Signature Algorithm with SHA-1 digest –
{1.2.840.10045.4.1}
- x509_alg_ecdsaWithSha224
- Elliptic Curve Digital Signature Algorithm with SHA-224 digest
– {1.2.840.10045.4.3.1}
- x509_alg_ecdsaWithSha256
- Elliptic Curve Digital Signature Algorithm with SHA-256 digest
– {1.2.840.10045.4.3.2}
- x509_alg_ecdsaWithSha384
- Elliptic Curve Digital Signature Algorithm with SHA-384 digest
– {1.2.840.10045.4.3.3}
- x509_alg_ecdsaWithSha512
- Elliptic Curve Digital Signature Algorithm with SHA-512 digest
– {1.2.840.10045.4.3.4}
When executing in FIPS mode, signature algorithms
x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are
not supported.
The number of days until the next
CRL is issued will be set to the earlier of the requested date and
the expiration of the signing certificate.
The signing certificate
must have an associated private key, the BasicConstraints extension
must either be omitted or must have the CA indicator set, and the
KeyUsage extension must either be omitted or must allow signing certificate
revocation lists.
The CRL will have a CRLNumber extension containing
the value specified by the crl_number parameter. It will also
have an AuthorityKeyIdentifier extension if the signing certificate
has a SubjectKeyIdentifier extension. The application can supply
additional extensions through the extensions parameter. An
AuthorityKeyIdentifier or CRLNumber extension provided by the application
will replace the default extension created for the CRL.
No certification
path validation is performed by the gsk_create_signed_crl_record() routine.