PreviousNext

Accessing a Registered Cryptographic Module

Signature algorithms are identified by object identifiers (the character string returned by name( ) is intended for use in diagnostic or auditing messages). Certificates contain a field which identifies by OID the algorithm used to sign that certificate.

Policy implementors are recommended to access cryptographic modules mainly through the following routines, which perform all locking necessary to make the calls thread safe, and also transparently handle any context information that a given cryptographic implementation may need.

· pkc_crypto_get_registered_algorithms(3sec)
Call this routine to get an OID set describing the currently registered algorithm implementations.

· pkc_crypto_sign(3sec)
Call this routine to get data signed.

· pkc_crypto_verify_signature(3sec)
Call this routine to verify signed data.

· pkc_crypto_generate_keypair(3sec)
Call this routine to generate a pair of public/private keys.

Information about a cryptographic module may be obtained by calling pkc_crypto_lookup_algorithm(3sec).

Data can also be signed and verified by looking up the desired algorithm (with pkc_crypto_lookup_algorithm(3sec)) and then explicitly calling the module's (sign)( ) or verify( ) routine, although in this case the calling application must take care to avoid multi-threading issues, and is also responsible for opening the crypto module prior to use, and closing it afterwards..

A list of the OIDs of all currently registered cryptographic modules can be obtained by calling pkc_crypto_get_registered_algorithms( ). You can then access information about a specific module by calling the pkc_crypto_lookup_algorithm( ) routine. To sign data with a private key or to verify signed data with a public key, either pkc_crypto_verify_signature( ) or pkc_crypto_sign( ) can be called.

In the low-level certificate interrogation API, the verify( ) routine is automatically called by the pkc_crypto_verify_signature(3sec) routine.