z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_validate_server()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Validate a server certificate.

Format

#include <gskcms.h>

gsk_status gsk_validate_server (
                                x509_certificate *       server_certificate,
                                const char *             host_name)

Parameters

server_certificate
Specifies the server certificate to be validated.
host_name
Specifies the fully-qualified server host name in the local code page.

Results

The return status is zero if the validation is successful. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[CMSERR_HOST_NOT_VALID]
The server certificate is not valid for the specified host name.

Usage

The gsk_validate_server() routine validates a server certificate by verifying the host name that is associated with the server. The server certificate must contain the specified host name as either the common name (CN) element of the subject name or as a DNS entry for the subject alternate name. A case-sensitive (exact match) comparison is used for comparison with the common name (CN) element of the subject name when the common name attribute value is encoded as UTF-8 data (x509_string_utf8). For other combinations of host name verification options use gsk_validate_hostname().

The host name in the server certificate can be a fully-qualified name (for example, 'dcesec4.endicott.ibm.com'), a domain suffix (for example, '.endicott.ibm.com') or a wildcard name beginning with an asterisk (for example, '*.endicott.ibm.com'). A not case-sensitive comparison is performed between the supplied host name and the host name in the server certificate. A fully-qualified name must be the same as the supplied host name. A domain suffix matches any host name with the same suffix but does not match the suffix itself. For example, '*.endicott.ibm.com' matches 'ldap.dcesec4.endicott.ibm.com' and 'dcesec4.endicott.ibm.com' but does not match 'endicott.ibm.com'. A wildcard name matches any name ending with the characters that follow the asterisk. A trailing period in a host name is ignored (for example, 'dcesec4.endicott.ibm.com.' and is the same as 'dcesec4.endicott.ibm.com').

No other certificate validation is performed. The gsk_validate_certificate_mode() routine should be called if the certificate itself must be validated.

Parent topic: Certificate Management Services (CMS) API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014