RSA Security logo

RSA BSAFE Cert-C
API Reference

OCSP_SIGNER Struct Reference

Details how the Cert-C OCSP Revocation Status service provider should sign requests for the associated OCSP responder.

OCSP_SIGNER is used in the OCSP_RESPONDER structure.

When a request is issued to the OCSP responder, during a call to C_CheckCertRevocation(), the resulting protocol message is signed with the private key that corresponds with cert found in the database member of cert_revoke_funcs. OCSP_SIGNER information can be left unspecified if its associated OCSP_RESPONDER does not require requests to be signed. In this case, OCSP_SIGNER's signatureAlgorithm field should be set to SA_UNDEFINED and no other fields of this structure are used.

Data Fields
signatureAlgorithm This input parameter is the algorithm used to sign the OCSP request. If specified, signatureAlgorithm must be set to one of the following values defined in certalg.h. If not specified, signatureAlgorithm should be set to SA_UNDEFINED.

  • SA_MD2_WITH_RSA_ENCRYPTION
  • SA_MD5_WITH_RSA_ENCRYPTION
  • SA_SHA1_WITH_RSA_ENCRYPTION
  • SA_DSA_WITH_SHA1
  • SA_UNDEFINED
cert This input parameter is a CERT_OBJ that contains the certificate associated with the private key used to sign the OCSP request. The private key must be present in the database whose handle is specified in the database field of CERT_PATH_CTX that was passed to C_CheckCertRevocation(). This parameter is only required when the OCSP responder requires the request to be signed. If not specified, this parameter should be set to (CERT_OBJ)0.
extraRequestCerts This optional input parameter is a LIST_OBJ which contains additional certificates that the requestor can send to the OCSP responder. The Cert-C OCSP Revocation Status service provider sends only the request signer certificate to the OCSP responder, as part of its default behavior. Any certificates that are required by the responder to verify the request signatures are retrieved from the database handle in CERT_PATH_CTX when C_CheckCertRevocation() is called.

These additional certificates can be added to the supplied extraRequestCerts list depending on how you set the OCSP_RESPONDER's flags field associated with this OCSP_SIGNER.

#include <ocsp.h> 

00158 typedef struct {
00159   int      signatureAlgorithm;                /* alg used to sign requests */
00160   CERT_OBJ cert;                              /* cert for signing requests */
00161   LIST_OBJ extraRequestCerts;  /* any extra certs to send to the responder */
00162 } OCSP_SIGNER;
The documentation for this struct was generated from the following file:

RSA BSAFE® Cert-C 2.7 API Reference