RSA Security logo

RSA BSAFE Cert-C
API Reference

CERT_REVOKE_FUNCS Reference

Store pointers to the functions of a Cert-C certificate revocation status service provider.

Use S_InitializeCRLStatus() or S_InitializeOCSP() to initialize funcs's revoke member to the Cert- C CRL Revocation Status or Cert-C OCSP Revocation Status Service Provider implementation of CERT_REVOKE_FUNCS.

#include <statspi.h> 

00038 typedef struct cert_revoke_funcs {
00039 
00052   void (*Finalize) (
00053     CERTC_CTX ctx,      /* Cert-C context */
00054     POINTER   handle);  /* provider handle */
00055 
00169   int (*CheckCertRevocation) (
00170     CERTC_CTX        ctx,          /* Cert-C context            */
00171     POINTER          handle,       /* service provider handle   */
00172     CERT_PATH_CTX   *pathCtx,      /* path processing context   */
00173     CERT_OBJ         cert,         /* cert to be checked        */
00174     CERT_REVOCATION *revocation);  /* revocation status of cert */
00175 
00176 } CERT_REVOKE_FUNCS;

Data Fields

void(* Finalize )(CERTC_CTX ctx, POINTER handle)
 Frees resources associated with the specified service provider handle, including freeing memory allocated during service provider initialization. More...

int(* CheckCertRevocation )(CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, CERT_OBJ cert, CERT_REVOCATION *revocation)
 Cert-C calls the CheckCertRevocation function to check the revocation status of a certificate and return the status and related information. More...

Field Documentation (alphabetical)

int(* cert_revoke_funcs::CheckCertRevocation)( CERTC_CTX ctx, POINTER handle, CERT_PATH_CTX *pathCtx, CERT_OBJ cert, CERT_REVOCATION *revocation)
 

Cert-C calls the CheckCertRevocation function to check the revocation status of a certificate and return the status and related information. This function is implemented by the Cert-C CRL Revocation Status Service Provider and the Cert-C OCSP Revocation Status Service Provider. The implementations are different for each provider.

When there are multiple providers, such as a CRL and an OCSP provider, each provider is called in turn. When a definitive CERT_REVOKED or CERT_NOT_REVOKED is returned, processing stops. When this occurs, any uncalled providers remain uncalled.

Cert-C CRL Revocation Status Service Provider Implementation

CheckCertRevocation finds a relevant CRL using the issuer name of the certificate. The CRL distribution point extension are checked.

Cert-C OCSP Revocation Status Service Provider Implementation

In this implementation, CheckCertRevocation checks the status of a certificate against an OCSP responder using the certificate's serialNumber field and the certificate's issuer's name and public key.

The two implementations do not have the same parameter definitions.

Parameters:
ctx This input parameter points to an initialized Cert-C context handle.
handle This input parameter points to a copy of the Cert-C CRL Revocation Status Service Provider handle.
pathCtx This use of this parameter varies with the service provider.

Cert-C CRL Revocation Status Service Provider Implementation
    This input parameter is the path- processing context. It is used to ensure that the constructed certification path is valid. This function uses the certification path-processing context to determine the status checking mechanism.

    In addition to the global definition of validationTime, here validationTime is also used to select the relevant CRL that spans the time period for when the application wants to determine the status of the certificate.
Cert-C OCSP Revocation Status Service Provider Implementation
    This input parameter is the status- checking context. It is used to ensure that the constructed certification path is valid. This function uses the certification status-checking context to determine the status checking mechanism. The service provider uses pathCtx's pathOptions, trustedCerts, and validationTime fields.

    The validationTime field in CERT_PATH_CTX can be set to a value other than PF_VALIDATION_TIME_NOW. However, this value must be inside the range of the values contained in OCSP_EVIDENCE's thisUpdate and nextUpdate fields; these values are provided by the OCSP responder. If validationTime's value is outside of this range revocation's status field will be set to CRE_OCSP and revocation's evidence field will contain a pointer to OCSP_EVIDENCE. This evidence information will reflect the thisUpdate and *pNextUpdate values which were asserted by the OCSP responder.

    Setting pathCtx's pathOptions field to PF_IGNORE_VALIDATION_TIME will yield the same result because status check information is only relevant over a specified period of time and to ignore it is an error.
cert This input parameter is a certificate object that contains the certificate to be checked.
revocation This is both an input and output parameter. As an input parameter, it is an uninitialized CERT_REVOCATION structure. As an output parameter, it points to the location of the current certificate information. The caller should pass in a pointer to an allocated CERT_REVOCATION structure. If a valid CRL is found, the evidence field of the CERT_REVOCATION structure contains a pointer to the CRL_EVIDENCE structure. The caller is responsible for freeing the status evidence and destroying the CRL object by calling C_DestroyCRLEvidence(). If the response is valid OCSP response, the evidenceType field of the CERT_REVOCATION structure is set to CRE_OCSP and the evidence field of the CERT_REVOCATION structure contains a pointer to the OCSP_EVIDENCE structure
Returns:
If successful, returns 0. If not, returns a Cert-C error code.

void(* cert_revoke_funcs::Finalize)( CERTC_CTX ctx, POINTER handle)
 

Frees resources associated with the specified service provider handle, including freeing memory allocated during service provider initialization. This function is implemented by the Cert-C CRL Revocation Status Service Provider and the Cert-C OCSP Revocation Status Service Provider.

The documentation for this struct was generated from the following file:

RSA BSAFE® Cert-C 2.7 API Reference