z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_create_signed_crl()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Creates a signed certificate revocation list.

This function is deprecated. Use gsk_create_signed_crl_record() instead.

Format

   #include <gskcms.h>

   gsk_status gsk_create_signed_crl (  
                                      gsk_handle                          db_handle,   
                                      const char *                        label,   
                                      gsk_int32                           crl_number,   
                                      int                                 num_days,  
                                      x509_revoked_certificates *         revoked_certificates,  
                                      x509_extensions *                   extensions,    
                                      gsk_buffer *                        signed_crl)

Parameters

db_handle
Specifies the database handle returned by the gsk_create_database() routine, the gsk_open_database() routine, or the gsk_open_keyring() routine. This must be a key database and not a request database.
label
Specifies the label for the certificate to be used to sign the certificate revocation list. The label is specified in the local code page.
crl_number
Specifies the CRL number. Each CRL is numbered with each successive revocation list having a larger CRL number than all previous revocation lists.
num_days
Specifies the number of days until the next CRL will be issued and is specified as a value between 1 and 9999 (the maximum of 9999 will be used if a larger value is specified and the minimum of 1 will be used if a smaller value is specified).
revoked_certificates
Specifies the revoked list of certificates to be included in the CRL. This list consists of the certificate serial numbers and not the actual certificates.
extensions
Specifies the CRL extensions for the new CRL. Specify NULL for this parameter if no CRL extensions are supplied.
signed_crl
Returns the signed certificate revocation list in Base64 format. The Base64 stream will be in the local code page. The application should call the gsk_free_buffer() routine to release the stream when it is no longer needed.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:
[CMSERR_BAD_EC_PARAMS]
Elliptic Curve parameters are not valid.
[CMSERR_BAD_HANDLE]
The database handle is not valid.
[CMSERR_BAD_LABEL]
The record label is not valid.
[CMSERR_BAD_SIGNATURE]
The request signature is not correct.
[CMSERR_DUPLICATE_EXTENSION]
Supplied extensions contain a duplicate extension.
[CMSERR_ECURVE_NOT_FIPS_APPROVED]
Elliptic Curve not supported in FIPS mode.
[CMSERR_ECURVE_NOT_SUPPORTED]
Elliptic Curve is not supported.
[CMSERR_EXPIRED]
The signer certificate is expired.
[CMSERR_ICSF_FIPS_DISABLED]
ICSF PKCS #11 services are disabled.
[CMSERR_ICSF_NOT_AVAILABLE]
ICSF services are not available.
[CMSERR_ICSF_NOT_FIPS]
ICSF PKCS #11 not operating in FIPS mode.
[CMSERR_ICSF_SERVICE_FAILURE]
ICSF callable service returned an error.
[CMSERR_INCORRECT_DBTYPE]
The database type does not support certificates.
[CMSERR_INCORRECT_KEY_USAGE]
The signer certificate key usage does not allow signing a CRL.
[CMSERR_ISSUER_NOT_CA]
The signer certificate is not for a certification authority.
[CMSERR_NO_MEMORY]
Insufficient storage is available.
[CMSERR_NO_PRIVATE_KEY]
The signer certificate does not have a private key.
[CMSERR_RECORD_NOT_FOUND]
The signer certificate is not found in the key database.

Usage

The gsk_create_signed_crl() routine will generate an X.509 certificate revocation list (CRL) as described in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. The new CRL will be signed using the certificate specified by the label parameter. The number of days until the next CRL is issued will be set to the earlier of the requested date and the expiration of the signing certificate.

The signing certificate must have an associated private key, the BasicConstraints extension must either be omitted or must have the CA indicator set, and the KeyUsage extension must either be omitted or must allow signing certificate revocation lists.

The CRL will have a CRLNumber extension containing the value specified by the crl_number parameter. It will also have an AuthorityKeyIdentifier extension if the signing certificate has a SubjectKeyIdentifier extension. The application can supply additional extensions through the extensions parameter. An AuthorityKeyIdentifier or CRLNumber extension provided by the application will replace the default extension created for the CRL.

No certification path validation is performed by the gsk_create_signed_crl() routine.

Parent topic: Certificate Management Services (CMS) API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014