NAME
ESS_SIGNING_CERT_new
,
ESS_SIGNING_CERT_free
,
ESS_CERT_ID_new
,
ESS_CERT_ID_free
,
ESS_ISSUER_SERIAL_new
,
ESS_ISSUER_SERIAL_free
—
signing certificates for
S/MIME
SYNOPSIS
#include
<openssl/ts.h>
ESS_SIGNING_CERT *
ESS_SIGNING_CERT_new
(void);
void
ESS_SIGNING_CERT_free
(ESS_SIGNING_CERT
*signing_cert);
ESS_CERT_ID *
ESS_CERT_ID_new
(void);
void
ESS_CERT_ID_free
(ESS_CERT_ID
*cert_id);
ESS_ISSUER_SERIAL *
ESS_ISSUER_SERIAL_new
(void);
void
ESS_ISSUER_SERIAL_free
(ESS_ISSUER_SERIAL
*issuer_serial);
DESCRIPTION
The signing certificate may be included in the signedAttributes field of a SignerInfo structure to mitigate simple substitution and re-issue attacks.
ESS_SIGNING_CERT_new
()
allocates and initializes an empty ESS_SIGNING_CERT
object, representing an ASN.1 SigningCertificate
structure defined in RFC 2634 section 5.4. It can hold the certificate used
for signing the data, additional authorization certificates that can be used
during validation, and policies applying to the certificate.
ESS_SIGNING_CERT_free
()
frees signing_cert.
ESS_CERT_ID_new
()
allocates and initializes an empty ESS_CERT_ID object,
representing an ASN.1 ESSCertID structure defined in
RFC 2634 section 5.4.1. Such objects can be used inside
ESS_SIGNING_CERT objects, and each one can hold a SHA1
hash of one certificate.
ESS_CERT_ID_free
()
frees cert_id.
ESS_ISSUER_SERIAL_new
()
allocates and initializes an empty ESS_ISSUER_SERIAL
object, representing an ASN.1 IssuerSerial structure
defined in RFC 2634 section 5.4.1. It can hold an issuer name and a serial
number and can be included in an ESS_CERT_ID object,
which is useful for additional authorization certificates, but redundant for
the signing certificate itself.
ESS_ISSUER_SERIAL_free
()
frees issuer_serial.
RETURN VALUES
ESS_SIGNING_CERT_new
(),
ESS_CERT_ID_new
(), and
ESS_ISSUER_SERIAL_new
() return the new
ESS_SIGNING_CERT, ESS_CERT_ID,
or ESS_ISSUER_SERIAL object, respectively, or
NULL
if an error occurred.
STANDARDS
RFC 2634: Enhanced Security Services for S/MIME, section 5: Signing Certificate Attribute
Note that RFC 2634 has been updated by RFC 5035: Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility. But the current implementation only supports the Signing Certificate Attribute Definition Version 1 according to RFC 2634, not the Signing Certificate Attribute Definition Version 2 according to RFC 5035.
HISTORY
These functions first appeared in OpenSSL 1.0.0 and have been available since OpenBSD 4.9.