Hi Milinda, I created following[1] WIKI page with some modifications to the API. Please add other functions too. -Kau
[1]http://wiki.apache.org/general/rampartc/pkcs12_API Milinda Pathirage wrote:
Hi all, After doing some research with openssl pkcs12 implementation, I designed following API for PKCS12 Keystore to include in Rampart/C. Currently Rampart configuration support specifying certificate using their .pem file name. This approach is limiting our capabilities of server side security because we can only handle one user certificate(correct me if I am wrong). PKCS12 Keystore implementation will allow us to store several certificates inside one single file and retrive and validate them according to our requirements. Here is the API for PKCS12 Keystore (This API is designed after examine the Crypto interface of WSS4J): pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password); This method is use to create a key store from given file. openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd) Get the private key of the owner of key store. Currently assuming that we store our private key and public key pair with our CA certificates and others public keys. This method will handle situation with several private keys in the key store because we specify the alias. pkcs12_keystore_get_ certificates(char *alias) Get the certificates for given alias. Need to figure out the return type (Whether to return STACK_OF(X509) or x509 array). char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer) Get alias of the certificate that matches given issuer's name. char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial) Get alias of the certificate that matches given issuer's name and serial. char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski) Get alias of the certificate that matches given Subject Key Identifier. x509 * pkcs12_keystore_get_default_cert() Get the default certificate of the key store. char * pkcs12_keystore_ get_alias_for_defualt_cert() Get the alias of the default certificate. char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb) Get alias of the matching certificate with given thumbprint. pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn) Get alias of the matching certificate with given DN. Have to figure out how we can validate a given certificate. Function name should change. pkcs12_keystore_validate_cert_path(X509 certs) This is only a draft API. I think there may be some missing parts. Please feel free to comment on this. Thanks Milinda
-- http://blog.kaushalye.org/ http://wso2.org/
