Signs an X.509 certificate.
Format
#include <gskcms.h>
gsk_status gsk_sign_certificate (
x509_certificate * certificate,
pkcs_private_key_info * private_key)
Parameters
- certificate
- Specifies the X.509 certificate.
- private_key
- Specifies the private key.
Results
The return status will be zero if
the signature is successfully generated. Otherwise, it will be one
of the return codes listed in the gskcms.h include file. These
are some possible errors:
- [CMSERR_ALG_NOT_SUPPORTED]
- The signature algorithm is not supported.
- [CMSERR_BAD_EC_PARAMS]
- Elliptic Curve parameters are not valid.
- [CMSERR_BAD_KEY_SIZE]
- The key size is not valid.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_KEY_MISMATCH]
- The supplied key does not match the signature algorithm.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_NO_PRIVATE_KEY]
- Private key does not exist or is not accessible.
Usage
The gsk_sign_certificate() routine
will sign an X.509 certificate using the supplied private key. The
private key can be an RSA key, DSA key, or an ECDSA key. If executing
in FIPS mode, the minimum key size for RSA and DSA keys is 1024 bits,
and the minimum key size for ECDSA keys is 160 bits. The private
key can be an ASN.1-encoded value contained in the privateKey field
or an ICSF key label contained in the keyToken field. In either case,
the key type must be specified by the privateKeyAlgorithm field.
The
signature algorithm is obtained from the signature field of the x509_tbs_certificate
structure contained within the x509_certificate structure. The generated
signature will be placed in the signatureAlgorithm and signatureValue
fields of the x509_certificate structure.
The following signature
algorithms are supported:
- x509_alg_md2WithRsaEncryption
- RSA encryption with MD2 digest - {1.2.840.113549.1.1.2}
- x509_alg_md5WithRsaEncryption
- RSA encryption with MD5 digest - {1.2.840.113549.1.1.4}
- x509_alg_sha1WithRsaEncryption
- RSA encryption with SHA-1 digest - {1.2.840.113549.1.1.5}
- x509_alg_sha224WithRsaEncryption
- RSA encryption with SHA-224 digest - {1.2.840.113549.1.1.14}
- x509_alg_sha256WithRsaEncryption
- RSA encryption with SHA-256 digest - {1.2.840.113549.1.1.11}
- x509_alg_sha384WithRsaEncryption
- RSA encryption with SHA-384 digest - {1.2.840.113549.1.1.12}
- x509_alg_sha512WithRsaEncryption
- RSA encryption with SHA-512 digest - {1.2.840.113549.1.1.13}
- x509_alg_dsaWithSha1
- Digital Signature Standard with SHA-1 digest - {1.2.840.10040.4.3}
- x509_alg_dsaWithSha224
- Digital Signature Standard with SHA-224 digest – {2.16.840.1.101.3.4.3.1}
- x509_alg_dsaWithSha256
- Digital Signature Standard with SHA-256 digest – {2.16.840.1.101.3.4.3.2}
- x509_alg_ecdsaWithSha1
- Elliptic Curve Digital Signature Algorithm with SHA-1 digest –
{1.2.840.10045.4.1}
- x509_alg_ecdsaWithSha224
- Elliptic Curve Digital Signature Algorithm with SHA-224 digest
– {1.2.840.10045.4.3.1}
- x509_alg_ecdsaWithSha256
- Elliptic Curve Digital Signature Algorithm with SHA-256 digest
– {1.2.840.10045.4.3.2}
- x509_alg_ecdsaWithSha384
- Elliptic Curve Digital Signature Algorithm with SHA-384 digest
– {1.2.840.10045.4.3.3}
- x509_alg_ecdsaWithSha512
- Elliptic Curve Digital Signature Algorithm with SHA-512 digest
– {1.2.840.10045.4.3.4}
When executing in FIPS mode, signature algorithms
x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are
not supported.