z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_make_signed_data_msg_extended()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Creates a PKCS #7 SignedData message from application data.

Format

#include <gskcms.h>

gsk_status gsk_make_signed_data_msg_extended (
                                     gsk_process_option        option_flag,
                                     int                       version,
                                     x509_algorithm_type       digest_algorithm,
                                     gsk_boolean               include_certificates,
                                     pkcs_cert_keys *          signer_certificates,
                                     pkcs_certificates *       ca_certificates,
                                     gsk_buffer *              data,
                                     gsk_attributes_signers *  attributes_signers,
                                     gsk_buffer *              stream)

Parameters

option_flag
Specifies process options to customize process behavior.
  • Enforce signing certificate has digital signing capabilities. That is, the purpose of the certificate key as reflected by the key usage extension must indicate digitalSignature.
  • Do not allow zero-length content data
version
Specifies the PKCS #7 SignedData version number. Specify 0 to create a SignedData message as described in PKCS #7 Version 1.4, specify 1 to create a SignedData message as described in PKCS #7 Version 1.5, or specify 2 to create a SignedData message as described in PKCS #7 Version 1.6.
digest_algorithm
Specifies the digest algorithm.
include_certificates
Specify TRUE if the signer and certification authority certificates are to be included in the SignedData message. Specify FALSE if the certificates are not to be included.
signer_certificates
Specifies the certificates and associated private keys for the message signers. There must be at least one signer.
ca_certificates
Specifies the certification authority certificates. Zero or more certification authority certificates can be included in the SignedData message. This parameter is ignored if the include_certificates parameter is set to FALSE. NULL can be specified for this parameter if no CA certificates are to be included in the message.
data
Specifies the application data for the SignedData message.
attributes_signers
Specifies the authenticated attributes per signer to be added to the message. Specify NULL for this parameter if there are no authenticated attributes to be included in the message. If specified, then the set of authenticated attributes must NOT include content-type or message-digest authenticated attributes as these are automatically provided by gsk_make_signed_data_msg_extended(). If the set of authenticated attributes includes signing-time, then this will override the signing-time attribute generated by gsk_make_signed_data_msg_extended(). The digest_algorithm field within each gsk_attributes_signer structure is ignored - the digest algorithm is specified by the digest_algorithm parameter.
stream
Returns the ASN.1 DER-encoded stream. The application should call the gsk_free_buffer() routine to release the stream when it is no longer needed.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[CMSERR_ALG_NOT_SUPPORTED]
The digest algorithm is not supported.
[CMSERR_CONTENT_NOT_SUPPORTED]
The content type is not supported.
[CMSERR_DIGEST_KEY_MISMATCH]
The digest algorithm is not supported for the private key type.
[CMSERR_ECURVE_NOT_FIPS_APPROVED]
Elliptic Curve not supported in FIPS mode.
[CMSERR_ECURVE_NOT_SUPPORTED]
Elliptic Curve is not supported.
[CMSERR_ICSF_FIPS_DISABLED]
ICSF PKCS #11 services are disabled.
[CMSERR_ICSF_NOT_AVAILABLE]
ICSF services are not available.
[CMSERR_ICSF_NOT_FIPS]
ICSF PKCS #11 not operating in FIPS mode.
[CMSERR_ICSF_SERVICE_FAILURE]
ICSF callable service returned an error.
[CMSERR_INCORRECT_KEY_USAGE]
A signer certificate does not allow digital signature.
[CMSERR_NO_CONTENT_DATA]
The content data length is zero.
[CMSERR_NO_MEMORY]
Insufficient storage is available.
[CMSERR_NO_PRIVATE_KEY]
Private key does not exist or is not accessible.
[CMSERR_SIGNER_NOT_FOUND]
No signer certificate provided or the certificate is not valid.
[CMSERR_VERSION_NOT_SUPPORTED]
The version is not valid.
[CMSERR_CONTENTTYPE_NOT_ALLOWED]
The content-type authenticated attribute is not allowed in attributes_signers.
[CMSERR_MESSAGEDIGEST_NOT_ALLOWED]
The message-digest authenticated attribute is not allowed in attributes_signers

Usage

The gsk_make_signed_data_msg_extended() routine creates a PKCS #7 (Cryptographic Message Syntax) SignedData message and returns the ASN.1 DER-encoded ContentInfo sequence. The signed data content type will be Data. The gsk_read_signed_data_msg() or the gsk_read_signed_data_msg_extended() routine can be used to extract the application data from the stream. The key usage for the signer certificates can be optionally specified as to whether digital signature must be allowed. No validity checking will be performed on the signer certificates. It is assumed that the application has already validated the signer certificates.

Calling the gsk_make_signed_data_msg_extended() routine is equivalent to calling the gsk_make_data_content() routine, the gsk_make_signed_data_content_extended() routine, and the gsk_make_content_msg() routine.

A signature is included for each signer provided by the signer_certificates parameter. The X.509 certificates used to sign the message will be included in the SignedData message if the include_certificates parameter is set to TRUE. The message receiver will need to provide the signer certificates if the include_certificates parameter is set to FALSE.

You can optionally include certification authority certificates in the SignedData message. These certificates can then be used by the message receiver to validate the signer certificates.

These digest algorithms are supported:
x509_alg_md2Digest
MD2 digest (RSA keys only) - {1.2.840.113549.2.2}
x509_alg_md5Digest
MD5 digest (RSA keys only) - {1.2.840.113549.2.5}
x509_alg_sha1Digest
SHA-1 digest (RSA, DSA, and ECDSA keys only) - {1.3.14.3.2.26}
x509_alg_sha224Digest
SHA-224 digest (RSA, DSA, and ECDSA keys only) - {2.16.840.1.101.3.4.2.4}
x509_alg_sha256Digest
SHA-256 digest (RSA, DSA, and ECDSA keys only) - {2.16.840.1.101.3.4.2.1}
x509_alg_sha384Digest
SHA-384 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.2}
x509_alg_sha512Digest
SHA-512 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.3}

If authenticated attributes are provided from the attributes_signers parameter, then signing certificates for all signers represented within the gsk_attributes_signers structure must be provided from the signer_certificates parameter.

When executing in FIPS mode, digest algorithms x509_alg_md2Digest and x509_alg_md5Digest are not supported.

Parent topic: Certificate Management Services (CMS) API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014