Verifies the signature for an X.509 certificate revocation
list.
Format
#include <gskcms.h>
gsk_status gsk_verify_crl_signature (
x509_crl * crl,
x509_public_key_info * key)
Parameters
- crl
- Specifies the decoded certificate revocation list returned by
the gsk_decode_crl() routine.
- key
- Specifies the public key for the Certification Authority that
signed the certificate revocation list.
Results
The return status will be zero if
the signature is correct. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
- [CMSERR_ALG_NOT_SUPPORTED]
- The signature algorithm is not supported.
- [CMSERR_BAD_EC_PARAMS]
- Elliptic Curve parameters are not valid.
- [CMSERR_BAD_KEY_SIZE]
- The key size is not valid.
- [CMSERR_BAD_SIGNATURE]
- The signature is not correct.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_KEY_MISMATCH]
- The supplied key does not match the signature algorithm.
- [CMSERR_PRIVATE_KEY_INFO_NOT_SUPPLIED]
- Private key information not supplied.
- [CMSERR_SIGNATURE_NOT_SUPPLIED]
- Signature not supplied.
Usage
The gsk_verify_crl_signature() routine
validates an X.509 certificate revocation list (CRL) by computing
its signature and then comparing the result to the signature contained
in the CRL.
The following signature algorithms are supported:
- x509_alg_md2WithRsaEncryption
- RSA encryption with MD2 digest - {1.2.840.113549.1.1.2}
- x509_alg_md5WithRsaEncryption
- RSA encryption with MD5 digest - {1.2.840.113549.1.1.4}
- x509_alg_sha1WithRsaEncryption
- RSA encryption with SHA-1 digest - {1.2.840.113549.1.1.5}
- x509_alg_sha224WithRsaEncryption
- RSA encryption with SHA-224 digest - {1.2.840.113549.1.1.14}
- x509_alg_sha256WithRsaEncryption
- RSA encryption with SHA-256 digest - {1.2.840.113549.1.1.11}
- x509_alg_sha384WithRsaEncryption
- RSA encryption with SHA-384 digest - {1.2.840.113549.1.1.12}
- x509_alg_sha512WithRsaEncryption
- RSA encryption with SHA-512 digest - {1.2.840.113549.1.1.13}
- x509_alg_dsaWithSha1
- Digital Signature Standard with SHA-1 digest - {1.2.840.10040.4.3}
- x509_alg_dsaWithSha224
- Digital Signature Standard with SHA-224 digest – {2.16.840.1.101.3.4.3.1}
- x509_alg_dsaWithSha256
- Digital Signature Standard with SHA-256 digest – {2.16.840.1.101.3.4.3.2}
- x509_alg_md5Sha1WithRsaEncryption
- RSA encryption with combined MD5 and SHA-1 digests
- x509_alg_ecdsaWithSha1
- Elliptic Curve Digital Signature Algorithm with SHA-1 digest –
{1.2.840.10045.4.1}
- x509_alg_ecdsaWithSha224
- Elliptic Curve Digital Signature Algorithm with SHA-224 digest
– {1.2.840.10045.4.3.1}
- x509_alg_ecdsaWithSha256
- Elliptic Curve Digital Signature Algorithm with SHA-256 digest
– {1.2.840.10045.4.3.2}
- x509_alg_ecdsaWithSha384
- Elliptic Curve Digital Signature Algorithm with SHA-384 digest
– {1.2.840.10045.4.3.3}
- x509_alg_ecdsaWithSha512
- Elliptic Curve Digital Signature Algorithm with SHA-512 digest
– {1.2.840.10045.4.3.4}
When executing in FIPS mode, signature algorithms
x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are
not supported.