libkmf - man pages section 3: Library Interfaces and Headers

Language:

libkmf(3LIB)

Name

libkmf - Key Management Framework library

Synopsis

cc [ flag... ] file... –
lkmf [ library... ]
#include <kmfapi.h>

Description

These functions comprise the Key Management Framework (KMF) library. They are intended to be used by applications that need to perform operations involving the creation and management of public key objects such as public/private key pairs, certificates, certificate signing requests, certificate validation, certificate revocation lists, and OCSP response processing.

Certificate to name mapping

KMF provides a means to map a certificate to a name according to the configuration from the policy database or through the mapping initialization function. The functions that provide the mapping functionality are kmf_cert_to_name_mapping_initialize(), kmf_cert_to_name_mapping_finalize (), kmf_map_cert_to_name(), kmf_match_cert_to_name (), and kmf_get_mapper_error_str(). KMF provides different types of mapping through shared objects called mappers. Supported mappers are:

cn

The CN mapper maps a certificate to its value from the Common Name attribute. All other certificate attributes are ignored. The mapper should be used in domains where the Common Name values are unique within the particular domain.

The mapper accepts only one option, the “case-sensitive” option which defaults to false. If set, the kmf_match_cert_to_name () function will honor the case sensitivity when comparing the mapped name with the name provided. The option has no effect on the kmf_map_cert_to_name() function.

INTERFACES

The shared object libkmf.so.1 provides the public interfaces defined below. See intro(3) for additional information on shared object interfaces.

`kmf_add_cert_eku`	`kmf_add_csr_eku`
`kmf_add_policy_to_db`	`kmf_build_pk12`
`kmf_cert_to_name_mapping_finalize`	`kmf_cert_to_name_mapping_initialize`
`kmf_check_cert_date`	`kmf_check_crl_date`
`kmf_compare_rdns`	`kmf_configure_keystore`
`kmf_create_cert_file`	`kmf_create_csr_file`
`kmf_create_keypair`	`kmf_create_ocsp_request`
`kmf_create_sym_key`	`kmf_decode_csr`
`kmf_decrypt`	`kmf_delete_cert_from_keystore`
`kmf_delete_crl`	`kmf_delete_key_from_keystore`
`kmf_delete_policy_from_db`	`kmf_der_to_pem`
`kmf_dn_parser`	`kmf_download_cert`
`kmf_download_crl`	`kmf_ekuname_to_oid`
`kmf_encode_cert_record`	`kmf_encrypt`
`kmf_export_pk12`	`kmf_finalize`
`kmf_find_attr`	`kmf_find_cert`
`kmf_find_cert_in_crl`	`kmf_find_crl`
`kmf_find_key`	`kmf_find_prikey_by_cert`
`kmf_free_algoid`	`kmf_free_bigint`
`kmf_free_cert_chain`	`kmf_free_crl_dist_pts`
`kmf_free_data`	`kmf_free_dn`
`kmf_free_eku`	`kmf_free_eku_policy`
`kmf_free_extn`	`kmf_free_kmf_cert`
`kmf_free_kmf_key`	`kmf_free_policy_record`
`kmf_free_raw_key`	`kmf_free_raw_sym_key`
`kmf_free_signed_cert`	`kmf_free_signed_csr`
`kmf_free_spki`	`kmf_free_str`
`kmf_free_tbs_cert`	`kmf_free_tbs_csr`
`kmf_get_attr`	`kmf_get_attr_ptr`
`kmf_get_cert_auth_info_access`	`kmf_get_cert_basic_constraint`
`kmf_get_cert_chain`	`kmf_get_cert_crl_dist_pts`
`kmf_get_cert_eku`	`kmf_get_cert_email_str`
`kmf_get_cert_end_date_str`	`kmf_get_cert_extn`
`kmf_get_cert_extn_str`	`kmf_get_cert_id_data`
`kmf_get_cert_id_str`	`kmf_get_cert_issuer_str`
`kmf_get_cert_ku`	`kmf_get_cert_policies`
`kmf_get_cert_pubkey_alg_str`	`kmf_get_cert_pubkey_str`
`kmf_get_cert_serial_str`	`kmf_get_cert_sig_alg_str`
`kmf_get_cert_start_date_str`	`kmf_get_cert_subject_str`
`kmf_get_cert_validity`	`kmf_get_cert_version_str`
`kmf_get_cert_pubkey_id_data`	`kmf_get_cert_pubkey_id_str`
`kmf_get_data_format`	`kmf_get_encoded_ocsp_response`
`kmf_get_file_format`	`kmf_get_kmf_error_str`
`kmf_get_mapper_error_str`	`kmf_get_mapper_lasterror`
`kmf_get_mapper_options`	`kmf_get_ocsp_for_cert`
`kmf_get_ocsp_status_for_cert`	`kmf_get_pk11_handle`
`kmf_get_plugin_error_str`	`kmf_get_policy`
`kmf_get_string_attr`	`kmf_get_sym_key_value`
`kmf_hexstr_to_bytes`	`kmf_import_crl`
`kmf_import_cert`	`kmf_import_objects`
`kmf_initialize`	`kmf_is_cert_data`
`kmf_is_cert_file`	`kmf_is_crl_file`
`kmf_ku_to_string`	`kmf_list_crl`
`kmf_map_cert_to_name`	`kmf_match_cert_to_name`
`kmf_oid_to_ekuname`	`kmf_oid_to_string`
`kmf_pem_to_der`	`kmf_pk11_token_lookup`
`kmf_read_input_file`	`kmf_select_token`
`kmf_set_attr`	`kmf_set_attr_at_index`
`kmf_set_cert_basic_constraint`	`kmf_set_cert_extn`
`kmf_set_cert_issuer`	`kmf_set_cert_issuer_altname`
`kmf_set_cert_ku`	`kmf_set_cert_pubkey`
`kmf_set_cert_serial`	`kmf_set_cert_sig_alg`
`kmf_set_cert_subject`	`kmf_set_cert_subject_altname`
`kmf_set_cert_validity`	`kmf_set_cert_version`
`kmf_set_cert_spk_id`	`kmf_set_csr_extn`
`kmf_set_csr_ku`	`kmf_set_csr_pubkey`
`kmf_set_csr_sig_alg`	`kmf_set_csr_subject`
`kmf_set_csr_subject_altname`	`kmf_set_csr_version`
`kmf_set_mapper_lasterror`	`kmf_set_mapper_options`
`kmf_set_policy`	`kmf_set_token_pin`
`kmf_sign_cert`	`kmf_sign_csr`
`kmf_sign_data`	`kmf_store_cert`
`kmf_store_key`	`kmf_string_to_ku`
`kmf_string_to_oid`	`kmf_validate_cert`
`kmf_verify_cert`	`kmf_verify_crl_file`
`kmf_verify_csr`	`kmf_verify_data`
`kmf_verify_policy`

Examples

Example 1 Configuring the certificate to name mapping.

The following example configures the default certificate to name mapping to use the CN mapper while ignoring the case sensitivity when matching the certificates.

$ kmfcfg modify policy=default mapper-name=cn \
     mapper-options=casesensitive

Files

/lib/libkmf.so.1: shared object
/lib/64/libkmf.so.1: 64-bit shared object
/usr/include/kmfapi.h: KMF function definitions
/usr/include/kmftypes.h: KMF structures and types.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	system/library
Interface Stability	Committed
MT-Level	Safe

man pages section 3: Library Interfaces and Headers