gsk_construct_renewal

Constructs a certification renewal request as described in PKCS #10, Version 1.7: Certification Request.

Format

   #include <gskcms.h>

   gsk_status gsk_construct_renewal_request (
                                          x509_public_key_info *  public_key,
                                          pkcs_private_key_info * private_key,
                                          x509_algorithm_type     signature_algorithm,
                                          const char *            subject_name,
                                          x509_extensions *       extensions,
                                          pkcs_cert_request *     request)

Parameters

public_key: Specifies the public key for the certification request.
private_key: Specifies the private key for the certification request.
signature_algorithm: Specifies the signature algorithm used to sign the constructed request.
subject_name: Specifies the distinguished name for the certificate subject. The distinguished name is specified in the local code page and consists of one or more relative distinguished name components separated by commas.
extensions: Specifies certificate extensions to be included in the certification request. Specify NULL for this parameter if no certificate extensions are provided.
request: Returns the certification renewal request as a pkcs_cert_request structure.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[ASN_X500_NO_AVA_SEP]: An attribute value separator is missing.
[CMSERR_ALG_NOT_SUPPORTED]: The signature algorithm is not valid.
[CMSERR_BAD_KEY_SIZE]: The key size is not valid.
[CMSERR_KEY MISMATCH]: The signing key type is not supported by the requested signature algorithm.
[CMSERR_NO_MEMORY]: Insufficient storage is available.

Usage

The gsk_construct_renewal_request() routine constructs a certification renewal request and returns the constructed request in the pkcs_cert_request structure request.

The gsk_encode_export_request() routine can be called to create an export file containing the request for transmission to the certification authority.

The certification request will be signed using the key specified by the private_key parameter and the signature algorithm specified by the signature_algorithm parameter.

These signature algorithms are supported:

x509_alg_md2WithRsaEncryption: RSA encryption with MD2 digest - {1.2.840.113549.1.1.2}
x509_alg_md5WithRsaEncryption: RSA encryption with MD5 digest - {1.2.840.113549.1.1.4}
x509_alg_sha1WithRsaEncryption: RSA encryption with SHA-1 digest - {1.2.840.113549.1.1.5}
x509_alg_sha224WithRsaEncryption: RSA encryption with SHA-224 digest - {1.2.840.113549.1.1.14}
x509_alg_sha256WithRsaEncryption: RSA encryption with SHA-256 digest - {1.2.840.113549.1.1.11}
x509_alg_sha384WithRsaEncryption: RSA encryption with SHA-384 digest - {1.2.840.113549.1.1.12}
x509_alg_sha512WithRsaEncryption: RSA encryption with SHA-512 digest - {1.2.840.113549.1.1.13}
x509_alg_dsaWithSha1: Digital Signature Standard with SHA-1 digest - {1.2.840.10040.4.3}
x509_alg_dsaWithSha224: Digital Signature Standard with SHA-224 digest – {2.16.840.1.101.3.4.3.1}
x509_alg_dsaWithSha256: Digital Signature Standard with SHA-256 digest – {2.16.840.1.101.3.4.3.2}
x509_alg_ecdsaWithSha1: Elliptic Curve Digital Signature Algorithm with SHA-1 digest - {1.2.840.10045.4.1}
x509_alg_ecdsaWithSha224: Elliptic Curve Digital Signature Algorithm with SHA-224 digest - {1.2.840.10045.4.3.1}
x509_alg_ecdsaWithSha256: Elliptic Curve Digital Signature Algorithm with SHA-256 digest - {1.2.840.10045.4.3.2}
x509_alg_ecdsaWithSha384: Elliptic Curve Digital Signature Algorithm with SHA-384 digest - {1.2.840.10045.4.3.3}
x509_alg_ecdsaWithSha512: Elliptic Curve Digital Signature Algorithm with SHA-512 digest - {1.2.840.10045.4.3.4}

When executing in FIPS mode, signature algorithms x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are not supported.

The extensions parameter can be used to provide certificate extensions for inclusion in the certification request. Whether or not a particular certificate extension will be included in the new certificate is determined by the certification authority.