PKIFv2
performs X.509
certification path processing, including certification path development
and
certification path validation.
Certification path validation consists of validating
certificates
starting with the one certified by a trust anchor and ending with the
one
issued to the subscriber of interest.
PKIFv2
supports X.509 version 3 Certificates and X.509 CRLs, versions 1 and 2. All processing is X.509
and PKIX RFC3280
compliant.
There are three types of public key
certificates involved in
certificate path validation:
PKIFv2 processes the following
security-related certificate
extensions: ocsp-nocheck, keyUsage, extendedKeyUsage, and
basicConstraints. PKIFv2
performs the
processing of the following certificate policy-related extensions:
certificatePolicies, policyMapping, inhibitAnyPolicy,
policyConstraints, and
nameConstraints extensions
PKIFv2 can generate Online
Certificate Status Protocol
(OCSP) requests and validate OCSP responses to determine the revocation
status
of public key certificates. PKIFv2
verifies
OCSP Responder as a trust anchor or as an end entity authorized to sign
OCSP
responses. PKIFv2
establishes trust in
the OCSP responder certificates by performing Certification Path
Validation.
PKIFv2 provides Certificate
Revocation List (CRL) validation
functionality that enables applications to determine the revocation
status of a
certificate using a CRL. PKIFv2
may be
used to process CRLs obtained from a variety of sources including:
locations indicated
by a CRL Distribution Point (CRLDP) extension in a certificate, local
storage
facilities or LDAP-accessible directories.
PKIFv2 permits the use of the same
public key for CRL
signature verification as the one used for verifying the signature on
the
certificate, but does not mandate it.
In
other words, a PKIFv2 will develop and validate certification paths to
CRL
signers where necessary.
PKIFv2 enables application to use a
private key for
signature generation and to specify information covered by that
signature, e.g.
using the CMS SignedData format. The
CMS
structures implemented by PKIFv2 are based on those defined in
[RFC3369]. Several
CMS related samples are provided in
the PKIFv2 User’s Guide Section 6.4 under: Creating
signed messages, Verifying
signed messages, Creating encrypted messages and Decrypting
encrypted
messages.
PKIFv2 enables application to process
signature information,
e.g. using the CMS SignedData format, and to verify signatures using a
public
key. The CMS
structures implemented by PKIFv2
are based on those defined in [RFC3369].
Several CMS related samples are provided in the PKIFv2
User’s Guide
Section 6.4 under: Creating signed messages, Verifying
signed messages,
Creating encrypted messages and Decrypting
encrypted messages.
PKIFv2 enables application to perform
public key encryption
using key transfer algorithms such as RSA.
The CMS structures implemented by PKIFv2 are based on
those defined in
[RFC3369]. Several
CMS related samples
are provided in the PKIFv2 User’s Guide Section 6.4 under: Creating
signed
messages, Verifying signed messages, Creating
encrypted messages and
Decrypting encrypted messages.
PKIFv2 enables applications to
perform private key
decryption using key transfer algorithms such as RSA.
The CMS structures implemented by PKIFv2 are
based on those defined in [RFC3369].
Several CMS related samples are provided in the PKIFv2
User’s Guide
Section 6.4 under: Creating signed messages, Verifying
signed
messages, Creating encrypted messages and Decrypting
encrypted messages.
The interfaces identified in the
sections 6.1-6.5 require
support from a number of objects to prepare for and review the results
from the
various operations. The
following list
describes the entire TSFI for the library, including the interfaces
cited
above: