z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_get_directory_crls()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Gets the certificate revocation lists stored in the LDAP directory for the issuer.

Format

   #include <gskcms.h>

   gsk_status gsk_get_directory_crls (   
                                       gsk_handle          directory_handle,   
                                       x509_name *         dist_point_name, 
                                       x509_name *         issuer_name,  
                                       gsk_boolean         ca_lists, 
                                       x509_crls *         crls)

Parameters

directory_handle
Specifies the directory handle returned by the gsk_open_directory() routine.
dist_point_name
Specifies the CRL distribution point name.
issuer_name
Specifies the CRL issuer name.
ca_lists
Specify TRUE to retrieve the revocation lists for CA certificates or FALSE to retrieve the revocation list for end entity certificates.
crls
Returns the certificate revocation lists. The application should call the gsk_free_crls() routine to release the lists when they are no longer needed.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:
[CMSERR_BAD_HANDLE]
The directory handle is not valid.
[CMSERR_LDAP]
An error is detected by the LDAP runtime support.
[CMSERR_LDAP_NOT_AVAILABLE]
The LDAP server is not available.
[CMSERR_NO_MEMORY]
Insufficient storage is available.
[CMSERR_RECORD_NOT_FOUND]
The requested CRL is not found.

Usage

The gsk_get_directory_crls() routine retrieves the certificate revocation lists (CRLs) stored in the LDAP directory for the specified issuer name. When matching UTF-8 encoded attribute values (gsk_string_utf8) in the issuer name, System SSL uses a case sensitive (exact match) comparison. The directory schema is defined by RFC 2587: PKIX LDAP Version 2 Schema. The revocation lists are stored as attributes of the issuer directory entry. Each CRL is encoded as defined by RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. The certificateRevocationList attribute is used to retrieve revocation lists for end-entity certificates while the authorityRevocationList attribute is used to retrieve revocation lists for certification authority certificates.

The dist_point_name parameter specifies the CRL distribution point name. This name is used as the distinguished name for the LDAP directory entry. The issuer_name parameter specifies the CRL issuer name. This name must match the issuer name stored in the CRL.

Retrieved certificate revocation lists are cached so that it is not necessary to contact the LDAP server for subsequent requests for the same issuer. The cached revocation lists will be released when the gsk_close_directory() routine is called to close the directory handle. The cached entries will also be discarded at the end of the cache timeout specified by the GSK_CRL_CACHE_TIMEOUT environment variable (the default timeout is 24 hours).

Parent topic: Certificate Management Services (CMS) API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014