RSA Security logo

RSA BSAFE Cert-C
API Reference

CERT_PATH_FUNCS Reference

Stores pointers to the certificate-path processing service provider functions in Cert-C.

In this case, there is one implementation, the Cert-C Certificate Path Processing service provider. Use S_InitializePKIXPath() to initialize funcs's path function pointer to the Cert-C Certificate Path Processing service provider implementation of CERT_PATH_FUNCS.

#include <pathspi.h> 

00037 typedef struct cert_path_funcs {
00048   void (*Finalize) (
00049     CERTC_CTX       ctx,              /* Cert-C context */
00050     POINTER         handle);          /* provider handle */
00051 
00155   int (*GetNextCertInPath) (
00156     CERTC_CTX      ctx,               /* Cert-C context */
00157     POINTER        handle,            /* service provider handle */
00158     CERT_PATH_CTX *pathCtx,           /* path processing context */
00159     POINTER        startObject,       /* starting point for the path */
00160     LIST_OBJ       certList);         /* list where certs are added */
00161 
00162 
00207   int (*ValidateCert) (
00208     CERTC_CTX      ctx,               /* Cert-C context */
00209     POINTER        handle,            /* service provider handle */
00210     CERT_PATH_CTX *pathCtx,           /* path processing context */
00211     CERT_OBJ       cert,              /* starting cert */
00212     B_KEY_OBJ      validationKey);    /* signature validation key */
00213 
00306   int (*BuildCertPath) (
00307     CERTC_CTX      ctx,               /* Cert-C context handle */
00308     POINTER        handle,            /* service provider handle */
00309     CERT_PATH_CTX *pathCtx,           /* path processing context */
00310     POINTER        startObject,       /* starting point for the path */
00311     LIST_OBJ       certPath,          /* resulting certification path */
00312     LIST_OBJ       crlList,           /* CRLs needed to verify the path */
00313     LIST_OBJ       crlCerts,          /* Additional certs to verify CRLs */
00314     LIST_OBJ       policyInfoList);   /* List of policy info */
00315 } CERT_PATH_FUNCS;

Data Fields

void(* Finalize )(CERTC_CTX ctx, POINTER handle)
 Cleans up resources associated with the specified service-provider handle, including freeing memory allocated during service-provider initialization. More...

int(* GetNextCertInPath )(CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, POINTER startObject, LIST_OBJ certList)
 Returns a set of candidate certificates whose public key might be used to verify the start object's signature. More...

int(* ValidateCert )(CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, CERT_OBJ cert, B_KEY_OBJ validationKey)
 Verifies a certificate's ValidityPeriod, unless CERT_PATH_CTX tells it to ignore the validation time. More...

int(* BuildCertPath )(CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, POINTER startObject, LIST_OBJ certPath, LIST_OBJ crlList, LIST_OBJ crlCerts, LIST_OBJ policyInfoList)
 Constructs a valid path from startObject to one of the trusted certificates in the certificate path context. More...

Field Documentation (alphabetical)

int(* cert_path_funcs::BuildCertPath)( CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, POINTER startObject, LIST_OBJ certPath, LIST_OBJ crlList, LIST_OBJ crlCerts, LIST_OBJ policyInfoList)
 

Constructs a valid path from startObject to one of the trusted certificates in the certificate path context. BuildCertPath returns a certificate path for startObject if the certPath argument is not NULL_PTR, or it verifies startObject without returning the path if the certPath argument is NULL_PTR. The new flag PA_PKIX2 has been defined in addition to aPA_PKIX and PA_X509_V1 to handle policy and policy mapping.

  • If PA_PKIX is chosen, a valid path conforms to the description in the Certificate Path Validation section of the RFC 2459, except for options specified in pathCtx.

  • If PA_PKIX2 is chosen, a valid path conforms to the policy and policy mapping described in draft-ieft-pkix-new-part1-12.txt, that is also known as the "son-of-2459."
This function is implemented by the Cert-C CertificatePath Processing service provider.
Parameters:
ctx This input parameter points to an initialized Cert-C context handle.
handle This input parameter points to a copy of the Cert-C Certificate Path Processing service provider handle.
pathCtx This input parameter is the path- processing context. It is used to ensure that the constructed certificate path is valid. Less strict checking during path construction can be requested through the appropriate use of pathCtx's pathOptions field. For more information this parameter, see the CERT_PATH_CTX structure.
startObject This input parameter is the first object in the path. Currently, it is either a CERT_OBJ or a CRL_OBJ object.
certPath This is both an input and output parameter. This parameter is optional and can be set to NULL_PTR if not used. As an input parameter, it is an allocated but uninitialized LIST_OBJ. As an output parameter, a set of certificates that consist of the certificate path for startObject is added to this list, unless it is already on the list.
crlList This is both an input and output parameter. This parameter is optional and can be set to NULL_PTR if not used. As an input parameter, it is an allocated but uninitialized LIST_OBJ. As an output parameter, the list contains any CRLs needed to verify the resulting certificate path. Some certificate path processing service providers might not use or return CRLs.
crlCerts This is both an input and output parameter. This parameter is optional and can be set to NULL_PTR if not used. As an input parameter, it is an allocated but uninitialized LIST_OBJ. As an output parameter, the list contains any additional certificates not included in the path that might be required to validate CRLs returned in crlList. If the crlList parameter is set to NULL_PTR, crlCerts is ignored. The certificates returned in crlCerts are essentially the union of certificate paths extending from the returned CRLs to the trusted certificates in the certificate path context, except that the certificates returned in the certPath parameter might or might not be included in this list.
policyInfoList This is both an input and output parameter. This parameter is optional and can be set to NULL_PTR if not used. As an input parameter, it is an allocated but uninitialized LIST_OBJ. As an output parameter, the policy information list contains an entry for each policy under which the returned certificate path is valid. Each entry in the list is of type POLICY_INFO.

void(* cert_path_funcs::Finalize)( CERTC_CTX ctx, POINTER handle)
 

Cleans up resources associated with the specified service-provider handle, including freeing memory allocated during service-provider initialization. This function is implemented by the Cert-C Path Processing service provider.

int(* cert_path_funcs::GetNextCertInPath)( CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, POINTER startObject, LIST_OBJ certList)
 

Returns a set of candidate certificates whose public key might be used to verify the start object's signature. This service provider supports PA_X509_V1, PA_PKIX, and PA_PKIX certificate path algorithms.

  • If PA_X509_V1 is chosen, it finds candidate certificates using the issuer name found in the certificate.

  • If PA_PKIX or PA_PKIX2 is chosen, a candidate certificate must meet all of the following conditions:


    1. It must contain a public key that can verify the signature in the base object.

    2. The ValidityPeriod must be correct, unless CERT_PATH_CONTEXT tells the service provider to ignore validation time.

    3. The AuthorityKeyIdentifier extension must not exist in the base object. Or, if the AuthorityKeyIdentifier extension does exist, then it must not be marked critical, and it must meet the following condition:

        The AuthorityKeyIdentifier extension must contain a subject name that matches the issuer name in the base object. Or, if the AuthorityKeyIdentifier extension contains a KeyIdentifier, then it must meet one of the following conditions:

      • The SubjectKeyIdentifier extension must match the AuthorityKeyIdentifier extension. Or, if the extension contains authoritySerialNumber and authorityCertIssuer, then a certificate is a candidate if its serial number matches the authoritySerialNumber and its issuer name matches the DirectoryName entry of the authorityCertIssuer.

      • A certificate that contains a IssuerAlternativeName extension is a candidate if its GeneralName entry matches any of the entries in authorityCertIssuer, as long as its serial number matches the authoritySerialNumber.
This function is implemented by the Cert-C Path Processing service provider.
Parameters:
ctx This input parameter points to an initialized Cert-C context handle.
handle This input parameter points to a copy of the Cert-C Certificate Path Processing service provider handle.
pathCtx This input parameter is the path- processing context. It is used to ensure that the constructed certificate path is valid. Less strict checking during path construction can be requested by the appropriate use of pathCtx's pathOptions field. The pathOptions field can be used to modify the basic certificate request path processing algorithm. For more information this parameter, see the CERT_PATH_CTX structure.
startObject This input parameter is the start object. It is used to locate one or more certificates that might contain the public key needed to verify the start object's signature. Information contained in the start object (typically the issuer name or the authority key identifier) is used to select a set of certificates. Currently, it is either a CERT_OBJ or a CRL_OBJ.
certList This is both an input and output parameter. As an input parameter, it points to an existing LIST_OBJ. As an output parameter, it is a list of certificates that might be able to verify the start object's signature. This function can, but need not, apply additional criteria from the path processing algorithm and options to reduce the set of candidate certificates. The caller is responsible for actual validation of both the base certificate, the candidate certificates, and any relationship between the base and candidate certificates required by the certificate path processing algorithm.
Returns:
If successful, returns 0. If not, returns a Cert-C error code.

int(* cert_path_funcs::ValidateCert)( CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, CERT_OBJ cert, B_KEY_OBJ validationKey)
 

Verifies a certificate's ValidityPeriod, unless CERT_PATH_CTX tells it to ignore the validation time. It verifies the signature bits using validationKey. This validation can be turned off by setting PF_IGNORE_VALIDATION_TIME in the pathOptions field of the CERT_PATH_CTX structure.

The supported certificate path algorithms are PA_X509_V1, PA_PKIX, and PA_PKIX2.

This function is implemented by the Cert-C Path Processing service provider.

Parameters:
ctx This input parameter points to an initialized Cert-C context handle.
handle This input parameter points to a copy of the Cert-C Certificate Path Processing service provider handle.
pathCtx This input parameter is the path processing context. It is used to determine the validation algorithm and the validation time. Some fields may not be applicable to single-certificate validation. For more information this parameter, see the CERT_PATH_CTX structure.
cert This input parameter is a certificate object that contains the certificate to be validated.
validationKey This input parameter is a key object that contains the key used to validate the certificate signature.
Returns:
If successful, returns 0. If not, returns a Cert-C error code.

The documentation for this struct was generated from the following file:

RSA BSAFE® Cert-C 2.7 API Reference