Creates a signed certificate revocation list.
This
function is deprecated. Use gsk_create_signed_crl_record() instead.
Format
#include <gskcms.h>
gsk_status gsk_create_signed_crl (
gsk_handle db_handle,
const char * label,
gsk_int32 crl_number,
int num_days,
x509_revoked_certificates * revoked_certificates,
x509_extensions * extensions,
gsk_buffer * signed_crl)
Parameters
- db_handle
- Specifies the database handle returned by the gsk_create_database() routine,
the gsk_open_database() routine, or the gsk_open_keyring() routine.
This must be a key database and not a request database.
- label
- Specifies the label for the certificate to be used to sign the
certificate revocation list. The label is specified in the local
code page.
- crl_number
- Specifies the CRL number. Each CRL is numbered with each successive
revocation list having a larger CRL number than all previous revocation
lists.
- num_days
- Specifies the number of days until the next CRL will be issued
and is specified as a value between 1 and 9999 (the maximum of 9999
will be used if a larger value is specified and the minimum of
1 will be used if a smaller value is specified).
- revoked_certificates
- Specifies the revoked list of certificates to be included in the
CRL. This list consists of the certificate serial numbers and not
the actual certificates.
- extensions
- Specifies the CRL extensions for the new CRL. Specify NULL for
this parameter if no CRL extensions are supplied.
- signed_crl
- Returns the signed certificate revocation list in Base64 format.
The Base64 stream will be in the local code page. The application
should call the gsk_free_buffer() routine to release the stream
when it is no longer needed.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the
gskcms.h include file. These are some
possible errors:
- [CMSERR_BAD_EC_PARAMS]
- Elliptic Curve parameters are not valid.
- [CMSERR_BAD_HANDLE]
- The database handle is not valid.
- [CMSERR_BAD_LABEL]
- The record label is not valid.
- [CMSERR_BAD_SIGNATURE]
- The request signature is not correct.
- [CMSERR_DUPLICATE_EXTENSION]
- Supplied extensions contain a duplicate extension.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_EXPIRED]
- The signer certificate is expired.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_INCORRECT_DBTYPE]
- The database type does not support certificates.
- [CMSERR_INCORRECT_KEY_USAGE]
- The signer certificate key usage does not allow signing a CRL.
- [CMSERR_ISSUER_NOT_CA]
- The signer certificate is not for a certification authority.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_NO_PRIVATE_KEY]
- The signer certificate does not have a private key.
- [CMSERR_RECORD_NOT_FOUND]
- The signer certificate is not found in the key database.
Usage
The gsk_create_signed_crl() routine
will generate an X.509 certificate revocation list (CRL) as described
in RFC 5280: Internet
X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile. The new CRL will be signed using the
certificate specified by the label parameter. The number of
days until the next CRL is issued will be set to the earlier of the
requested date and the expiration of the signing certificate.
The
signing certificate must have an associated private key, the BasicConstraints
extension must either be omitted or must have the CA indicator set,
and the KeyUsage extension must either be omitted or must allow signing
certificate revocation lists.
The CRL will have a CRLNumber
extension containing the value specified by the crl_number parameter.
It will also have an AuthorityKeyIdentifier extension if the signing
certificate has a SubjectKeyIdentifier extension. The application
can supply additional extensions through the extensions parameter.
An AuthorityKeyIdentifier or CRLNumber extension provided by the
application will replace the default extension created for the CRL.
No
certification path validation is performed by the gsk_create_signed_crl() routine.