libkmf(3LIB)
Name
libkmf - Key Management Framework library
Synopsis
cc [ flag... ] file... –
lkmf [ library... ]
#include <kmfapi.h>
Description
These functions comprise the Key Management Framework (KMF)
library. They are intended to be used by applications that need to
perform operations involving the creation and management of public
key objects such as public/private key pairs, certificates, certificate
signing requests, certificate validation, certificate revocation lists,
and OCSP response processing.
Certificate to name mapping
KMF provides a means to map a certificate to a name according
to the configuration from the policy database or through the mapping
initialization function. The functions that provide the mapping functionality
are kmf_cert_to_name_mapping_initialize(), kmf_cert_to_name_mapping_finalize
(), kmf_map_cert_to_name(), kmf_match_cert_to_name
(), and kmf_get_mapper_error_str(). KMF
provides different types of mapping through shared objects called
mappers. Supported mappers are:
- cn
The CN mapper maps a certificate to its value from
the Common Name attribute. All other certificate attributes are ignored.
The mapper should be used in domains where the Common Name values
are unique within the particular domain.
The mapper accepts only one option, the “case-sensitive”
option which defaults to false. If set, the kmf_match_cert_to_name
() function will honor the case sensitivity when comparing
the mapped name with the name provided. The option has no effect on
the kmf_map_cert_to_name() function.
INTERFACES
The shared object libkmf.so.1 provides
the public interfaces defined below. See Intro(3) for additional information
on shared object interfaces.
kmf_add_cert_eku
|
kmf_add_csr_eku
|
kmf_add_policy_to_db
|
kmf_build_pk12
|
kmf_cert_to_name_mapping_finalize
|
kmf_cert_to_name_mapping_initialize
|
kmf_check_cert_date
|
kmf_check_crl_date
|
kmf_compare_rdns
|
kmf_configure_keystore
|
kmf_create_cert_file
|
kmf_create_csr_file
|
kmf_create_keypair
|
kmf_create_ocsp_request
|
kmf_create_sym_key
|
kmf_decode_csr
|
kmf_decrypt
|
kmf_delete_cert_from_keystore
|
kmf_delete_crl
|
kmf_delete_key_from_keystore
|
kmf_delete_policy_from_db
|
kmf_der_to_pem
|
kmf_dn_parser
|
kmf_download_cert
|
kmf_download_crl
|
kmf_ekuname_to_oid
|
kmf_encode_cert_record
|
kmf_encrypt
|
kmf_export_pk12
|
kmf_finalize
|
kmf_find_attr
|
kmf_find_cert
|
kmf_find_cert_in_crl
|
kmf_find_crl
|
kmf_find_key
|
kmf_find_prikey_by_cert
|
kmf_free_algoid
|
kmf_free_bigint
|
kmf_free_cert_chain
|
kmf_free_crl_dist_pts
|
kmf_free_data
|
kmf_free_dn
|
kmf_free_eku
|
kmf_free_eku_policy
|
kmf_free_extn
|
kmf_free_kmf_cert
|
kmf_free_kmf_key
|
kmf_free_policy_record
|
kmf_free_raw_key
|
kmf_free_raw_sym_key
|
kmf_free_signed_cert
|
kmf_free_signed_csr
|
kmf_free_spki
|
kmf_free_str
|
kmf_free_tbs_cert
|
kmf_free_tbs_csr
|
kmf_get_attr
|
kmf_get_attr_ptr
|
kmf_get_cert_auth_info_access
|
kmf_get_cert_basic_constraint
|
kmf_get_cert_chain
|
kmf_get_cert_crl_dist_pts
|
kmf_get_cert_eku
|
kmf_get_cert_email_str
|
kmf_get_cert_end_date_str
|
kmf_get_cert_extn
|
kmf_get_cert_extn_str
|
kmf_get_cert_id_data
|
kmf_get_cert_id_str
|
kmf_get_cert_issuer_str
|
kmf_get_cert_ku
|
kmf_get_cert_policies
|
kmf_get_cert_pubkey_alg_str
|
kmf_get_cert_pubkey_str
|
kmf_get_cert_serial_str
|
kmf_get_cert_sig_alg_str
|
kmf_get_cert_start_date_str
|
kmf_get_cert_subject_str
|
kmf_get_cert_validity
|
kmf_get_cert_version_str
|
kmf_get_cert_pubkey_id_data
|
kmf_get_cert_pubkey_id_str
|
kmf_get_data_format
|
kmf_get_encoded_ocsp_response
|
kmf_get_file_format
|
kmf_get_kmf_error_str
|
kmf_get_mapper_error_str
|
kmf_get_mapper_lasterror
|
kmf_get_mapper_options
|
kmf_get_ocsp_for_cert
|
kmf_get_ocsp_status_for_cert
|
kmf_get_pk11_handle
|
kmf_get_plugin_error_str
|
kmf_get_policy
|
kmf_get_string_attr
|
kmf_get_sym_key_value
|
kmf_hexstr_to_bytes
|
kmf_import_crl
|
kmf_import_cert
|
kmf_import_objects
|
kmf_initialize
|
kmf_is_cert_data
|
kmf_is_cert_file
|
kmf_is_crl_file
|
kmf_ku_to_string
|
kmf_list_crl
|
kmf_map_cert_to_name
|
kmf_match_cert_to_name
|
kmf_oid_to_ekuname
|
kmf_oid_to_string
|
kmf_pem_to_der
|
kmf_pk11_token_lookup
|
kmf_read_input_file
|
kmf_select_token
|
kmf_set_attr
|
kmf_set_attr_at_index
|
kmf_set_cert_basic_constraint
|
kmf_set_cert_extn
|
kmf_set_cert_issuer
|
kmf_set_cert_issuer_altname
|
kmf_set_cert_ku
|
kmf_set_cert_pubkey
|
kmf_set_cert_serial
|
kmf_set_cert_sig_alg
|
kmf_set_cert_subject
|
kmf_set_cert_subject_altname
|
kmf_set_cert_validity
|
kmf_set_cert_version
|
kmf_set_cert_spk_id
|
kmf_set_csr_extn
|
kmf_set_csr_ku
|
kmf_set_csr_pubkey
|
kmf_set_csr_sig_alg
|
kmf_set_csr_subject
|
kmf_set_csr_subject_altname
|
kmf_set_csr_version
|
kmf_set_mapper_lasterror
|
kmf_set_mapper_options
|
kmf_set_policy
|
kmf_set_token_pin
|
kmf_sign_cert
|
kmf_sign_csr
|
kmf_sign_data
|
kmf_store_cert
|
kmf_store_key
|
kmf_string_to_ku
|
kmf_string_to_oid
|
kmf_validate_cert
|
kmf_verify_cert
|
kmf_verify_crl_file
|
kmf_verify_csr
|
kmf_verify_data
|
kmf_verify_policy
|
|
|
Examples
Example 1 Configuring the certificate to name mapping.
The following example configures the default certificate to
name mapping to use the CN mapper while ignoring the case sensitivity
when matching the certificates.
$ kmfcfg modify policy=default mapper-name=cn \
mapper-options=casesensitive
Files
- /lib/libkmf.so.1
shared object
- /lib/64/libkmf.so.1
64-bit shared object
- /usr/include/kmfapi.h
KMF function definitions
- /usr/include/kmftypes.h
KMF structures and types.
Attributes
See attributes(5) for descriptions of the following attributes:
|
|
Availability
|
system/core-os
|
Interface Stability
|
Committed
|
MT-Level
|
Safe
|
|
See Also
kmfcfg(1), pktool(1), attributes(5)
Developer’s Guide to Oracle Solaris 11 Security