IBM Certificate Library, Version 1.0
The files required for the IBM Certificate Library, Version 1.0 are:
- ibmcl.so
- ibmcl.h
This module is used in conjunction with one of the IBM Software Service Cryptographic Providers. This module performs X.509 Version 3 certificate operations. It provides a library of functions needed for creating, signing, verifying, and querying a certificate. The current version does not support X.509 Version 3 extensions. The IBM CL expects X.509 Version 3 signed certificates in ASN/DER-encoded format. It uses a set of object identifiers (OIDs) to exchange certificate information with the application. The list of supported OIDs is defined in the file, ibmcl.h, which should be included in every application that uses the services of IBM CL.
This example demonstrates the purpose and use of OIDs. If an application asks for the version of a given certificate, the CL builds the version object that is returned to the application as follows:
CSSM_FIELD_PTR p_version;
/* p_version is a pointer to a generic structure containing FieldOid and
FieldValue. FieldOid contains a number that indicates the type of the field,
e.g. version, serial number, etc. FieldValue contains the actual data.
*/
/* allocate memory for p_version for the sizeof(CSSM_FIELD)...*/
/* allocate memory for p_version->FieldOid for the sizeof(CSSM_OID)...*/
P_version->FieldOid.Length=sizeof(unit32);
* allocate memory for p_version->FieldOid.Data for the sizeof(unit32)...*/
*(unit32 *)p_version->FieldOid.Data=IBMCL_OID_VERSION;
/* allocate memory for p_version->FieldValue for the sizeof(CSSM_DATA)...*/
P_version->FieldValue.Length=Version.length;
/* allocate memory for p_version->FieldValue.Data for the sizeof(Version.Data)...*/
Copy(Version.value, p_version->FieldValue.Data);All fields are returned as unsigned character arrays, which in turn need to be cast to the appropriate type. The OID indicates the type of the field and the structure it should be cast to. This example shows an instance where OID is used to build the relevant data structure:
CSSM_FIELD_PTR p_field;
X500Name *p_name;
/* call a CL function to obtain some field in the Cert */
switch ( *p_field->FieldOid.Data) {
case IBMCL_OID_VERSION:
break;
case IBMCL_OID_ISSUER_NAME:
/* cast to the correct structure */
p_name = (X500Name *) p_field->FieldValue.Data;
break;
default:
break;
}The IBM CL functions in Table 1 comply with the information in Certificate Library Services API. Most of the functions return error codes that are specific to this implementation and not defined in the OCSF API. These error codes are defined in ibmcl.h and described as part of supported API functions. Also note that function arguments Scope and ScopeSize are ignored. Moreover, in order to construct an X.500, the name-only country name (C), organization name (O), organization name unit (OU), and common name (CN) are supported.
| Function | Supported | Comments |
|---|---|---|
| CSSM_CL_CertSign | Yes | See Table 4 for the error codes. |
| CSSM_CL_CertVerify | Yes | See Table 5 for the error codes. |
| CSSM_CL_CertCreateTemplate | Yes | See Note 1. |
| CSSM_CL_CertGetFirstFieldValue | Yes | The ResultHandle will always be set to NULL and the NumberOfMatchedFields will be set to 1 if any field is found, regardless of how many. See Table 6 for the error codes. |
| CSSM_CL_CertGetNextFieldValue | No | |
| CSSM_CL_CertAbortQuery | No | |
| CSSM_CL_CertGetKeyInfo | Yes | This function returns the DER-encoded subject public key. The encoding contains the public key, algorithm ID, and parameters, if applicable (see Table 7). |
| CSSM_CL_CertGetAllFields | Yes | See Note 2. |
| CSSM_CL_CertImport | No | |
| CSSM_CL_CertExport | No | |
| CSSM_CL_CertDescribeFormat | No | |
| CSSM_CL_CrlCreateTemplate | No | |
| CSSM_CL_CrlSetFields | No | |
| CSSM_CL_CrlAddCert | No | |
| CSSM_CL_CrlRemoveCert | No | |
| CSSM_CL_CrlSign | No | |
| CSSM_CL_CrlVerify | No | |
| CSSM_CL_IsCertInCrl | No | |
| CSSM_CL_CrlGetFirstFieldValue | No | |
| CSSM_CL_CrlGetNextFieldValue | No | |
| CSSM_CL_CrlAbortQuery | No |
- CSSM_CL_CertCreateTemplate -
This function accepts the public key field in two formats:
- If the key algorithm requires any parameters, they can be put
in the template with a separate OID. Thus, the application can pass
in three OIDs and the respective values:
- IBMCL_OID_SUBJECT_PUB_KEY: The value is passed in as a string. The key should not be DER-encoded.
- IBMCL_OID_PUB_KEY_PARAMETERS: Data should point to the DER encoding of the parameters.
- IBMCL_OID_PUB_KEY_ALGID: Data indicates what algorithm ID is used for generating the key, e.g., CSSM_ALGID_RSA.
- The algorithm ID, parameters, and the key can be DER-encoded and
passed in with OID IBMCL_OID_SUBJECT_PUB_KEY. There is no need to
supply the other two OIDs.
The template requires these fields in one of the two formats: signature algorithm ID, validity, subject name, issuer name, and subject public key. Validity is specified as an array of two CSSM_DATE elements. Index 0 should contain the start date and index 1 the end date of certificate validity. This function returns error codes as shown in Table 2.
Table 2. CSSM_CL_CertCreateTemplate Error Codes Error Code Description CSSM_CL_INVALID_CL_HANDLE CLHandle argument passed in is invalid. CSSM_CL_INVALID_INPUT_PTR CertTemplate argument passed in is NULL. CSSM_CL_INVALID_DATA NumberOfFields argument passed in is 0. CSSM_CL_SIGN_ALGID_NOT_SUPPORTED The supplied signature algorithm ID in the template is not supported by IBM CL. CSSM_CL_INVALID_TEMPLATE The given template is missing or contains an invalid pointer to one of these mandatory items: serial number, signature algorithm ID, validity, subject name, or subject public key. Also, if an extension or unique ID is present in the template, but the pointers are invalid, this error is returned. CSSM_CL_ INVALID_ CERT_ISSUER_NAME The supplied issuer name is invalid. CSSM_CL_ MISSING_CERT_ISSUER_NAME The field for issuer name is not present in the template. This field is required for creating a valid certificate. CSSM_CL_KEY_ALGID_NOT_SUPPORTED The supplied algorithm ID for the subject public key is not supported. CSSM_CL_KEY_FORMAT_UNKNOWN The supplied subject public key is not in the correct format. CSSM_CL_CERT_CREATE_FAIL Failed to DER encode the certificate. This error could be caused by invalid data in the template or memory problem. - If the key algorithm requires any parameters, they can be put
in the template with a separate OID. Thus, the application can pass
in three OIDs and the respective values:
- CSSM_CL_CertGetAllFields - This function returns DER encoding of the unsigned part of the certificate; signature algorithm ID; parameters, if applicable; and the signature (length in bytes). To view the specific fields in the certificate, such as version or validity, use CSSM_CL_GetFirstFieldValue with the appropriate OID. If the signature algorithm ID is not recognized by IBM CL, it is set to CSSM_ALGID_NONE. The other fields, however, are still returned to the application. This function returns error codes as shown in Table 3.
| Error Code | Description |
|---|---|
| CSSM_CL_INVALID_CL_HANDLE | CLHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CERT_POINTER | Cert argument passed in is NULL. |
| CSSM_CL_CERT_GET_FIELD_VALUE_FAIL | Unable to decode the certificate correctly. |
| CSSM_MALLOC_FAILED | Failed to allocate memory in the application space. |
| Error Code | Description |
|---|---|
| CSSM_CL_INVALID_CL_HANDLE | CLHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CC_HANDLE | CCHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CERT_POINTER | CertToBeSigned or SignerCert arguments are invalid. |
| CSSM_CL_INVALID_CONTEXT | Unable to obtain a valid context using the CCHandle passed in. |
| CSSM_CL_GET_KEY_ATTRIBUTE_FAIL | Unable to obtain a valid key attribute using the CCHandle passed in. |
| CSSM_CL_KEY_ALGID_NOT_SUPPORTED | The specified algorithm ID in the signature context is not supported. |
| CSSM_CL_CERT_SIGN_FAIL | The signature operation failed. This could be caused by invalid attributes in the signature context. |
| CSSM_CL_CERT_ENCODE_FAIL | Failed to DER encode the signed certificate. This error could be caused by memory problems or invalid context attributes. |
| Error Code | Description |
|---|---|
| CSSM_CL_INVALID_CL_HANDLE | CLHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CC_HANDLE | CCHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CERT_POINTER | Either CertToBeVerified or SignerCert argument is NULL. |
| CSSM_CL_CERT_VERIFY_FAIL | Failed to verify the signature on the certificate. |
| CSSM_CL_CERT_GET_FIELD_VALUE_FAIL | Failed to decode the CertToBeVerified correctly. |
| CSSM_MALLOC_FAILED | Failed to allocate memory. |
| Error Code | Description |
|---|---|
| CSSM_CL_INVALID_CL_HANDLE | CLHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CERT_POINTER | Cert argument passed in is NULL. |
| CSSM_CL_INVALID_INPUT_PTR | CertField or CertField->Data argument passed in is NULL. |
| CSSM_MALLOC_FAILED | Unable to allocate memory in the application space. |
| CSSM_CL_FIELD_NOT_PRESENT | The requested field is not in the certificate. |
| CSSM_CL_KEY_ALGID_NOT_SUPPORTED | If the key field is requested, the algorithm ID is not supported. |
| Error Code | Description |
|---|---|
| CSSM_CL_INVALID_CL_HANDLE | CLHandle argument passed in is invalid. |
| CSSM_CL_INVALID_CERT_POINTER | Cert argument passed in is NULL. |
| CSSM_CL_CERT_GET_KEY_INFO_FAIL | Failed to decode the cert and obtain the public key. |
| CSSM_MALLOC_FAILED | Failed to allocate memory in the application memory space. |
| CSSM_CL_KEY_ALGID_NOT_SUPPORTED | The algorithm id of the subject public key is not supported. |