Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
gsk_validate_certificate_mode() z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
Validates an X.509 certificate.
Format
Parameters
ResultsThe return status is zero if the validation is successful. Otherwise, it is one of the return codes that are listed in the gskcms.h include file. These are some possible errors:
UsageThe gsk_validate_certificate_mode() routine validates an X.509 certificate according to the standards defined in RFC 2459: X.509 certificate, certificate revocation list, and certificate extensions, RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, or RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Any necessary CA or issuer certificates are obtained from the supplied data sources. The CA certificate is also validated according to the previously mentioned Internet standards. The validation_mode parameter determines
the Internet standard that the certificate and certificate chain are
validated against. The following validation modes are supported:
Note: The z/OS® specific
HostIDMapping certificate extension is supported by System SSL and
can be validated as a critical extension in any validation mode.
A root certificate is a self-signed certificate and its signature is verified by using the public key in the certificate. If accept_root is FALSE, the root certificate must be found in a trusted data source to be accepted. If accept_root is TRUE, the self-signed certificate is accepted if the signature is correct. An intermediate certificate or an end-entity certificate is a certificate that is signed by another entity. Its signature is verified by using the public key in the issuer's certificate. The issuer certificate must be found in one of the supplied data sources. When intermediate CA certificates are used, the certificate chain is validated until the root certificate for the chain is found in one of the trusted data sources. If a sole intermediate certificate is found in a SAF key ring and the next issuer is not found in the same SAF key ring, and validate_root is not specified or is set to GSKCMS_CERT_VALIDATE_KEYRING_ROOT_OFF, the intermediate certificate is allowed to act as a trust anchor, and the chain is considered complete. By default, SAF key ring certificates are only validated to the trust anchor certificate. If validate_root is set to GSKCMS_CERT_VALIDATE_KEYRING_ROOT_ON, an intermediate certificate in a SAF key ring is not allowed to be established as a trust anchor and full certificate validation to the root CA must occur. Make sure that a SAF key ring containing an intermediate certificate also has the rest of the certificate chain that is connected to the key ring, including the root certificate. The validate_root setting does not affect the validation of SSL key database file and PKCS #11 token certificates because these certificates are always validated to the root CA certificate. The data sources must contain at least one LDAP directory source or CRL source to check for revoked certificates. The CRL distribution point name (or the certificate issuer name if the certificate does not have a CrlDistributionPoints extension) is used as the distinguished name of the LDAP directory entry containing the certificate revocation list (CRL). The CRL distribution point name and CRL issuer name must be X.500 directory names. The BasicConstraints certificate extension determines whether the CA revocation list or the user revocation list is used. An error is returned if a CRL obtained from an untrusted source cannot be validated. Security levels for connecting to LDAP directories are based on the GSKCMS_CRL_SECURITY_LEVEL setting. When using the CMS APIs, the GSKCMS_CRL_SECURITY_LEVEL setting can be specified by using the gsk_set_directory_enum() routine. Security levels can be set to LOW, MEDIUM or HIGH. See gsk_attribute_set_enum(), gsk_set_directory_enum() and Environment variables for more information about CRL security level settings. These data sources are supported:
The validate_root optional parameter must be specified when arg_count is set to 1. If validate_root is not specified and arg_count is set to 1, an error of CMSERR_BAD_VALIDATE_ROOT_ARG is returned. If the arg_count parameter is 0, any additional parameters that are specified are ignored. If executing in FIPS mode, only FIPS-approved algorithms and key sizes are supported. See System SSL and FIPS 140-2 for more details. |
Copyright IBM Corporation 1990, 2014
|