Constructs a certification renewal request as described in PKCS #10, Version 1.7: Certification
Request.
Format
#include <gskcms.h>
gsk_status gsk_construct_renewal_request (
x509_public_key_info * public_key,
pkcs_private_key_info * private_key,
x509_algorithm_type signature_algorithm,
const char * subject_name,
x509_extensions * extensions,
pkcs_cert_request * request)
Parameters
- public_key
- Specifies the public key for the certification request.
- private_key
- Specifies the private key for the certification request.
- signature_algorithm
- Specifies the signature algorithm used to sign the constructed
request.
- subject_name
- Specifies the distinguished name for the certificate subject.
The distinguished name is specified in the local code page and consists
of one or more relative distinguished name components separated by
commas.
- extensions
- Specifies certificate extensions to be included in the certification
request. Specify NULL for this parameter if no certificate extensions
are provided.
- request
- Returns the certification renewal request as a pkcs_cert_request
structure.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the
gskcms.h include file. These are some
possible errors:
- [ASN_X500_NO_AVA_SEP]
- An attribute value separator is missing.
- [CMSERR_ALG_NOT_SUPPORTED]
- The signature algorithm is not valid.
- [CMSERR_BAD_KEY_SIZE]
- The key size is not valid.
- [CMSERR_KEY MISMATCH]
- The signing key type is not supported by the requested signature
algorithm.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
Usage
The gsk_construct_renewal_request() routine
constructs a certification renewal request and returns the constructed
request in the pkcs_cert_request structure request.
The gsk_encode_export_request() routine
can be called to create an export file containing the request for
transmission to the certification authority.
The certification
request will be signed using the key specified by the private_key parameter
and the signature algorithm specified by the signature_algorithm parameter.
These
signature algorithms are supported:
- x509_alg_md2WithRsaEncryption
- RSA encryption with MD2 digest - {1.2.840.113549.1.1.2}
- x509_alg_md5WithRsaEncryption
- RSA encryption with MD5 digest - {1.2.840.113549.1.1.4}
- x509_alg_sha1WithRsaEncryption
- RSA encryption with SHA-1 digest - {1.2.840.113549.1.1.5}
- x509_alg_sha224WithRsaEncryption
- RSA encryption with SHA-224 digest - {1.2.840.113549.1.1.14}
- x509_alg_sha256WithRsaEncryption
- RSA encryption with SHA-256 digest - {1.2.840.113549.1.1.11}
- x509_alg_sha384WithRsaEncryption
- RSA encryption with SHA-384 digest - {1.2.840.113549.1.1.12}
- x509_alg_sha512WithRsaEncryption
- RSA encryption with SHA-512 digest - {1.2.840.113549.1.1.13}
- x509_alg_dsaWithSha1
- Digital Signature Standard with SHA-1 digest - {1.2.840.10040.4.3}
- x509_alg_dsaWithSha224
- Digital Signature Standard with SHA-224 digest – {2.16.840.1.101.3.4.3.1}
- x509_alg_dsaWithSha256
- Digital Signature Standard with SHA-256 digest – {2.16.840.1.101.3.4.3.2}
- x509_alg_ecdsaWithSha1
- Elliptic Curve Digital Signature Algorithm with SHA-1 digest -
{1.2.840.10045.4.1}
- x509_alg_ecdsaWithSha224
- Elliptic Curve Digital Signature Algorithm with SHA-224 digest
- {1.2.840.10045.4.3.1}
- x509_alg_ecdsaWithSha256
- Elliptic Curve Digital Signature Algorithm with SHA-256 digest
- {1.2.840.10045.4.3.2}
- x509_alg_ecdsaWithSha384
- Elliptic Curve Digital Signature Algorithm with SHA-384 digest
- {1.2.840.10045.4.3.3}
- x509_alg_ecdsaWithSha512
- Elliptic Curve Digital Signature Algorithm with SHA-512 digest
- {1.2.840.10045.4.3.4}
When executing in FIPS mode, signature algorithms
x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are
not supported.
The extensions parameter
can be used to provide certificate extensions for inclusion in the
certification request. Whether or not a particular certificate extension
will be included in the new certificate is determined by the certification
authority.