 |
TrustCore SDK NanoCert API reference
version 7.0
|
|
TrustCore SDK NanoCert API reference
version 7.0
|
Typedefs | |
| typedef MSTATUS(* | PKCS7_GetCertificate) (const void *arg, CStream cs, struct ASN1_ITEM *pSerialNumber, struct ASN1_ITEM *pIssuerName, ubyte **ppCertificate, ubyte4 *certificateLen) |
| Get a certificate for a given issuer name and serial number. More... | |
| typedef MSTATUS(* | PKCS7_GetPrivateKey) (const void *arg, CStream cs, struct ASN1_ITEM *pSerialNumber, struct ASN1_ITEM *pIssuerName, struct AsymmetricKey *pKey) |
| Get the private key associated with a given certificate in a PKCS #7 message (CMS message stream). More... | |
| typedef MSTATUS(* | PKCS7_ValidateRootCertificate) (const void *arg, CStream cs, struct ASN1_ITEM *pCertificate, sbyte4 chainLength) |
| Validate the certificates in a PKCS #7 message. More... | |
| typedef MSTATUS(* PKCS7_GetCertificate) (const void *arg, CStream cs, struct ASN1_ITEM *pSerialNumber, struct ASN1_ITEM *pIssuerName, ubyte **ppCertificate, ubyte4 *certificateLen) |
This callback function gets a certificate (that matches a given issuer name and serial number) for a SignedData object whose certificates are external to its data. The PKCS7_VerifySignedData() and PKCS7_VerifySignedDataEx() functions invoke this callback to search for certificates for such SignedData objects.
This callback function should call PKCS_GetCertificates() to search the given CStream, pCertStream, for the first certificate that contains a SignedData object; if none are found, this callback function should then search a private store of certificates. Then you can search for the desired certificate among those found by PCKS_GetCertificates() or among those found in the private store.
| arg | Data that can be passed to the callback. |
| cs | CStream containing a PKCS #7 message (a ContentInfo object) containing the SignedData object to search for a matching certificate. |
| pSerialNumber | Pointer to ASN1_ITEM structure containing the certificate serial number of interest. To get this pointer, call X509_getCertificateIssuerSerialNumber() against a certificate that is know to contain the issuer and serial number of interest. |
| pIssuerName | Pointer to ASN1_ITEM structure containing the issuer name of interest. To get this pointer, call X509_getCertificateIssuerSerialNumber() against a certificate that is known to contain the issuer and serial number of interest. |
| ppCertificate | On return, pointer to buffer of the matching certificate. If no match is found, the value is NULL (zero). |
| certificateLen | On return, length of the matching certificate. |
OK (0) under all circumstances.| typedef MSTATUS(* PKCS7_GetPrivateKey) (const void *arg, CStream cs, struct ASN1_ITEM *pSerialNumber, struct ASN1_ITEM *pIssuerName, struct AsymmetricKey *pKey) |
This callback function searches a given PKCS #7 message (CMS message stream), cs, for a certificate that matches the given serial number and issuer name. To obtain the certificate, you could call the PKCS7_GetCertificate() callback function, which searches both the given CStream, cs, and a private store of certificates. To validate the certificate, call the PKCS7_ValidateRootCertificate() callback function. If the certificate is valid, this callback function (PKCS7_GetPrivateKey()) can get the associated private key.
If the subject's PEM-encoded private key is stored in a file, you can copy the key to an AsymmetricKey structure as follows:
Given this code, the callback function returns the private key through the pKey parameter.
| arg | Data that can be passed to the callback. |
| cs | CStream containing the PKCS 7 message (a ContentInfo object containing a CMS EnvelopedData object) to search. |
| pSerialNumber | Pointer to ASN1_ITEM structure containing the certificate serial number of interest. To get this pointer, call X509_getCertificateIssuerSerialNumber() against a certificate that is known to contain the issuer and serial number of interest. |
| pIssuerName | Pointer to ASN1_ITEM structure containing the issuer name of interest. To get this pointer, call X509_getCertificateIssuerSerialNumber() against a certificate that is known to contain the issuer and serial number of interest. |
| pKey | On return, pointer to the certificate's private key. |
OK (0) if successful; otherwise a negative number error code definition from merrors.h. To retrieve a string containing an English text error identifier corresponding to the function's returned error status, use the DISPLAY_ERROR macro.| typedef MSTATUS(* PKCS7_ValidateRootCertificate) (const void *arg, CStream cs, struct ASN1_ITEM *pCertificate, sbyte4 chainLength) |
This callback function validates the certificates in a PKCS #7 message.
Which validity checks to perform depends on your application and environment. Typical checks are:
If the Digicert certificate store is being used then look at CERT_STORE_PKCS7_ValidateRootCertificate in mss/src/crypto/cert_store.c on how to use the certificate store to validate a certificate.
(when is this callback invoked?) (is the "top" certificate the root or end-user?)
| arg | Data that can be passed to the callback. |
| cs | CStream containing the PKCS #7 message. |
| pCertificate | Pointer to topmost certificate in the certificate chain whether it is the root or not. |
| chainLength | The lenth of the certificate chain from the current to the topmost parent. |
OK (0) if successful; otherwise a negative number error code definition from merrors.h. To retrieve a string containing an English text error identifier corresponding to the function's returned error status, use the DISPLAY_ERROR macro.