com.novell.security.japi.pki
Class NPKITverify

java.lang.Object
  |
  +--com.novell.security.japi.pki.NPKIToolbox
        |
        +--com.novell.security.japi.pki.NPKITverify

public class NPKITverify

extends NPKIToolbox

Used to perform certificate validation.

Field Summary

static int	NPKIx509CertificateValid Indicates that the certificate is valid.
static int	NPKIx509Invalid_Algorithm_Not_Supported Indicates that the cryptograhic algorithm is not supported.
static int	NPKIx509Invalid_Cant_Process_CDP Indicates the certificate contained a distribution point that can not be processed.
static int	NPKIx509Invalid_Cant_Read_CRL Indicates that the CRL could not be read.
static int	NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL Indicates that the certificate is valid.
static int	NPKIx509Invalid_Certificate_On_CRL Indicates that one of the certificates in the chain is on a CRL (Certificate Revocation List).
static int	NPKIx509Invalid_CRL_Decode_Error Indicates an error occurred during the decoding of the CRL (Certificate Revocation List).
static int	NPKIx509Invalid_CRL_Issuer_Name Indicates that the issuer name of the CRL identified in the certificate does not match the issuer name in the actual CRL retrieved.
static int	NPKIx509Invalid_Decode_Error Indicates there was a problem decoding the certificate.
static int	NPKIx509Invalid_Expired Indicates that the certificate has expired.
static int	NPKIx509Invalid_Expired_CRL Indicates the CRL has expired and a new one has not been issued.
static int	NPKIx509Invalid_Extension_Not_Critical Indicates that an extension which must be set to critical in order for the certificate to be valid is not set to critical.
static int	NPKIx509Invalid_Future Indicates that the certificate's start date is in the future.
static int	NPKIx509Invalid_Invalid_CRL Indicates the CRL was not valid for this certificate.
static int	NPKIx509Invalid_Invalid_Signature Indicates that the cryptographic signiture does not match.
static int	NPKIx509Invalid_Issuer_Not_CA Indicates that the issuer is not a valid CA (Certification Authority).
static int	NPKIx509Invalid_Issuer_Not_Trusted Indicates that one of more of the CA certificates are not in the configured Trusted Root container.
static int	NPKIx509Invalid_KeyUsage Indicates that the key does not support the requested usage.
static int	NPKIx509Invalid_Missing_Certificate_Policy Indicates that a critical certificate policy is absent from a CA certificate.
static int	NPKIx509Invalid_Missing_Required_Extension Indicates that a required extension is not present.
static int	NPKIx509Invalid_OCSP_ERROR Indicates that either the OCSP server could not be reached, or there was an error with the OCSP response.
static int	NPKIx509Invalid_OCSP_REVOKED Indicates that the certificate has been revolked as reported by the OCSP server.
static int	NPKIx509Invalid_OCSP_UNKNOWN Indicates that the OCSP server does not know the revocation status of the certificate.
static int	NPKIx509Invalid_Path_Length Indicates that the X.509 basic constraints path length has been violated.
static int	NPKIx509Invalid_Subject_Issuer_Name Indicates that the subject name of the issuing certificate does not match the issuer name of subject certificate.
static int	NPKIx509Invalid_System_Error Indicates there were some hardware problems or network problems.
static int	NPKIx509Invalid_Unknown_Critical_Extension Indicates the certificate contained a critical extension that could not be understood.
static int	PKI_AA_COMPROMISE N/A.
static int	PKI_AFFILIATION_CHANGED The subject of the certificate is no longer affilated with the issuer of the certificate.
static int	PKI_CA_COMPROMISED The Certificate Authority's private key has been compromised.
static int	PKI_CERTIFICATE_HOLD The certificate is temporarily on hold.
static int	PKI_CESSATION_OF_OPERATION The Certificate Authority is no longer operating.
static int	PKI_KEY_COMPROMISED The certificate's private key has been compromised.
static int	PKI_PRIVILEDGE_WITHDRAWN The subject of the certificate no longer has priviledges.
static int	PKI_SUPERSEDED A replacement certificate has been issued.
static int	PKI_UNSPECIFIED The reason is not specified.

Constructor Summary

NPKITverify()
Constructor.

Method Summary

int	certificate(byte[] issuerCertificate, byte[] subjectCertificate) Determines if the specified subjectCertificate can be verified by the issuerCertificate.
static void	certificateChain(com.novell.security.japi.pki.NPKI_CertChain certChain, int flags, java.lang.Integer crlReason, java.lang.Integer crlHoldInstruction, java.lang.Integer crlRevocationTime, java.lang.Integer crlInvalidityDateTime, com.novell.security.japi.pki.NPKI_CertChain revokedCertificate, java.lang.Integer certInvalidityReason, com.novell.security.japi.pki.NPKI_crlCacheContext crlCacheContext) Verifies the certificate chain passed in.
void	createContext() Creates a new NPKIT API context handle.
void	freeContext() Frees a previously allocated NPKIT context and all associated memory.
void	initialize() Initializes the PKI context.
void	issuerSubjectNameMatch(byte[] issuerCertificate, byte[] subjectCertificate) Determines if the specified subjectCertificate's issuer name matches the issuerCertificate's subject name.
void	verifyCertificatePrivateKeyAgreement(byte[] certificate, byte[] wrappedPrivateKey) Determines if the public key contained in the certificate matches the wrappedPrivateKey.
void	verifySignatureWithCertificate(byte[] data, int algorithmId, byte[] signature, byte[] certificate) Determines if the specified signature of the data was signed by the private key matchingcertificate.

Methods inherited from class com.novell.security.japi.pki.NPKIToolbox

decodeCSR, destroy, finalize, getUTCString, loadLibrary, version

Methods inherited from class java.lang.Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PKI_UNSPECIFIED

public static final int PKI_UNSPECIFIED

The reason is not specified.

(PKI_UNSPECIFIED = 0)

See Also:

Constant Field Values

PKI_KEY_COMPROMISED

public static final int PKI_KEY_COMPROMISED

The certificate's private key has been compromised.

(PKI_KEY_COMPROMISED = 1)

See Also:

Constant Field Values

PKI_CA_COMPROMISED

public static final int PKI_CA_COMPROMISED

The Certificate Authority's private key has been compromised.

(PKI_CA_COMPROMISED = 2)

See Also:

Constant Field Values

PKI_AFFILIATION_CHANGED

public static final int PKI_AFFILIATION_CHANGED

The subject of the certificate is no longer affilated with the issuer of the certificate.

(PKI_AFFILIATION_CHANGED = 3)

See Also:

Constant Field Values

PKI_SUPERSEDED

public static final int PKI_SUPERSEDED

A replacement certificate has been issued.

(PKI_SUPERSEDED = 4)

See Also:

Constant Field Values

PKI_CESSATION_OF_OPERATION

public static final int PKI_CESSATION_OF_OPERATION

The Certificate Authority is no longer operating.

(PKI_CESSATION_OF_OPERATION = 5)

See Also:

Constant Field Values

PKI_CERTIFICATE_HOLD

public static final int PKI_CERTIFICATE_HOLD

The certificate is temporarily on hold.

(PKI_CERTIFICATE_HOLD = 6)

See Also:

Constant Field Values

PKI_PRIVILEDGE_WITHDRAWN

public static final int PKI_PRIVILEDGE_WITHDRAWN

The subject of the certificate no longer has priviledges.

(PKI_PRIVILEDGE_WITHDRAWN = 7)

See Also:

Constant Field Values

PKI_AA_COMPROMISE

public static final int PKI_AA_COMPROMISE

N/A.

(PKI_AA_COMPROMISE = 8)

See Also:

Constant Field Values

NPKIx509CertificateValid

public static final int NPKIx509CertificateValid

Indicates that the certificate is valid.

(NPKIx509CertificateValid = 0x0000000)

See Also:

Constant Field Values

NPKIx509Invalid_System_Error

public static final int NPKIx509Invalid_System_Error

Indicates there were some hardware problems or network problems.

(NPKIx509Invalid_System_Error = 0x0000001)

See Also:

Constant Field Values

NPKIx509Invalid_Decode_Error

public static final int NPKIx509Invalid_Decode_Error

Indicates there was a problem decoding the certificate.

(NPKIx509Invalid_Decode_Error = 0x0000002)

See Also:

Constant Field Values

NPKIx509Invalid_Subject_Issuer_Name

public static final int NPKIx509Invalid_Subject_Issuer_Name

Indicates that the subject name of the issuing certificate does not match the issuer name of subject certificate.

(NPKIx509Invalid_Subject_Issuer_Name = 0x0000003)

See Also:

Constant Field Values

NPKIx509Invalid_Future

public static final int NPKIx509Invalid_Future

Indicates that the certificate's start date is in the future.

(NPKIx509Invalid_Future = 0x0000004)

See Also:

Constant Field Values

NPKIx509Invalid_Expired

public static final int NPKIx509Invalid_Expired

Indicates that the certificate has expired.

(NPKIx509Invalid_Expired = 0x0000005)

See Also:

Constant Field Values

NPKIx509Invalid_Issuer_Not_CA

public static final int NPKIx509Invalid_Issuer_Not_CA

Indicates that the issuer is not a valid CA (Certification Authority).

(NPKIx509Invalid_Issuer_Not_CA = 0x0000006)

See Also:

Constant Field Values

NPKIx509Invalid_Path_Length

public static final int NPKIx509Invalid_Path_Length

Indicates that the X.509 basic constraints path length has been violated.

(NPKIx509Invalid_Path_Length = 0x0000007)

See Also:

Constant Field Values

NPKIx509Invalid_Unknown_Critical_Extension

public static final int NPKIx509Invalid_Unknown_Critical_Extension

Indicates the certificate contained a critical extension that could not be understood.

(NPKIx509Invalid_Unknown_Critical_Extension = 0x0000008)

See Also:

Constant Field Values

NPKIx509Invalid_KeyUsage

public static final int NPKIx509Invalid_KeyUsage

Indicates that the key does not support the requested usage.

(NPKIx509Invalid_KeyUsage = 0x0000009)

See Also:

Constant Field Values

NPKIx509Invalid_CRL_Decode_Error

public static final int NPKIx509Invalid_CRL_Decode_Error

Indicates an error occurred during the decoding of the CRL (Certificate Revocation List).

(NPKIx509Invalid_CRL_Decode_Error = 0x000000A)

See Also:

Constant Field Values

NPKIx509Invalid_Certificate_On_CRL

public static final int NPKIx509Invalid_Certificate_On_CRL

Indicates that one of the certificates in the chain is on a CRL (Certificate Revocation List).

(NPKIx509Invalid_Certificate_On_CRL = 0x000000B)

See Also:

Constant Field Values

NPKIx509Invalid_Cant_Process_CDP

public static final int NPKIx509Invalid_Cant_Process_CDP

Indicates the certificate contained a distribution point that can not be processed.

(NPKIx509Invalid_Cant_Process_CDP = 0x000000C)

See Also:

Constant Field Values

NPKIx509Invalid_Cant_Read_CRL

public static final int NPKIx509Invalid_Cant_Read_CRL

Indicates that the CRL could not be read.

(NPKIx509Invalid_Cant_Read_CRL = 0x000000D)

See Also:

Constant Field Values

NPKIx509Invalid_Invalid_CRL

public static final int NPKIx509Invalid_Invalid_CRL

Indicates the CRL was not valid for this certificate.

(NPKIx509Invalid_Invalid_CRL = 0x000000E)

See Also:

Constant Field Values

NPKIx509Invalid_Expired_CRL

public static final int NPKIx509Invalid_Expired_CRL

Indicates the CRL has expired and a new one has not been issued.

(NPKIx509Invalid_Expired_CRL = 0x000000F)

See Also:

Constant Field Values

NPKIx509Invalid_CRL_Issuer_Name

public static final int NPKIx509Invalid_CRL_Issuer_Name

Indicates that the issuer name of the CRL identified in the certificate does not match the issuer name in the actual CRL retrieved.

(NPKIx509Invalid_CRL_Issuer_Name = 0x0000010)

See Also:

Constant Field Values

NPKIx509Invalid_Issuer_Not_Trusted

public static final int NPKIx509Invalid_Issuer_Not_Trusted

Indicates that one of more of the CA certificates are not in the configured Trusted Root container.

(NPKIx509Invalid_Issuer_Not_Trusted = 0x0000011)

See Also:

Constant Field Values

NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL

public static final int NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL

Indicates that the certificate is valid. This is an advisory flag. The CDP (Certificate Distribution Point) exists but the CRL (Certificate Revocation List) was not checked because the caller of the API requested that it not be checked.

(NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL = 0x0000012)

See Also:

Constant Field Values

NPKIx509Invalid_Invalid_Signature

public static final int NPKIx509Invalid_Invalid_Signature

Indicates that the cryptographic signiture does not match. Either an invalid key was used to encode the signurture or the signed data has been modified.

(NPKIx509Invalid_Invalid_Signature = 0x0000013)

See Also:

Constant Field Values

NPKIx509Invalid_Algorithm_Not_Supported

public static final int NPKIx509Invalid_Algorithm_Not_Supported

Indicates that the cryptograhic algorithm is not supported.

(NPKIx509Invalid_Algorithm_Not_Supported = 0x0000014)

See Also:

Constant Field Values

NPKIx509Invalid_Missing_Required_Extension

public static final int NPKIx509Invalid_Missing_Required_Extension

Indicates that a required extension is not present.

(NPKIx509Invalid_Missing_Required_Extension = 0x0000015)

See Also:

Constant Field Values

NPKIx509Invalid_Extension_Not_Critical

public static final int NPKIx509Invalid_Extension_Not_Critical

Indicates that an extension which must be set to critical in order for the certificate to be valid is not set to critical.

(NPKIx509Invalid_Extension_Not_Critical = 0x0000016)

See Also:

Constant Field Values

NPKIx509Invalid_Missing_Certificate_Policy

public static final int NPKIx509Invalid_Missing_Certificate_Policy

Indicates that a critical certificate policy is absent from a CA certificate.

(NPKIx509Invalid_Missing_Certificate_Policy = 0x0000017)

See Also:

Constant Field Values

NPKIx509Invalid_OCSP_REVOKED

public static final int NPKIx509Invalid_OCSP_REVOKED

Indicates that the certificate has been revolked as reported by the OCSP server.

(NPKIx509Invalid_OCSP_REVOKED = 0x0000020)

See Also:

Constant Field Values

NPKIx509Invalid_OCSP_ERROR

public static final int NPKIx509Invalid_OCSP_ERROR

Indicates that either the OCSP server could not be reached, or there was an error with the OCSP response.

(NPKIx509Invalid_OCSP_ERROR = 0x0000021)

See Also:

Constant Field Values

NPKIx509Invalid_OCSP_UNKNOWN

public static final int NPKIx509Invalid_OCSP_UNKNOWN

Indicates that the OCSP server does not know the revocation status of the certificate.

(NPKIx509Invalid_OCSP_UNKNOWN = 0x0000022)

See Also:

Constant Field Values

Constructor Detail

NPKITverify

public NPKITverify()
            throws NPKI_Exception

Constructor.

Throws:

NPKI_Exception - An NPKIT error code.

Method Detail

initialize

public void initialize()
                throws NPKI_Exception

Description copied from class: NPKIToolbox

Initializes the PKI context.

This function must be called to instantiate PKI services.

Overrides:

initialize in class NPKIToolbox

Throws:

NPKI_Exception - Throws a PKI error code if not successful.

createContext

public void createContext()
                   throws NPKI_Exception

Creates a new NPKIT API context handle. The context will be used for verification of X.509 certificates.

Specified by:

createContext in class NPKIToolbox

Throws:

NPKI_Exception - An NPKIT error code.

See Also:

freeContext

freeContext

public void freeContext()
                 throws NPKI_Exception

Frees a previously allocated NPKIT context and all associated memory.

Specified by:

freeContext in class NPKIToolbox

Throws:

NPKI_Exception - If an error occurs.

See Also:

createContext

certificateChain

public static final void certificateChain(com.novell.security.japi.pki.NPKI_CertChain certChain,
                                          int flags,
                                          java.lang.Integer crlReason,
                                          java.lang.Integer crlHoldInstruction,
                                          java.lang.Integer crlRevocationTime,
                                          java.lang.Integer crlInvalidityDateTime,
                                          com.novell.security.japi.pki.NPKI_CertChain revokedCertificate,
                                          java.lang.Integer certInvalidityReason,
                                          com.novell.security.japi.pki.NPKI_crlCacheContext crlCacheContext)
                                   throws NPKI_Exception

Verifies the certificate chain passed in.

The certificate chain must be in leaf to root order. The last certificate in the chain is assumed to be trusted by the caller of the API. If any certificate is invalid (i.e. revoked or expired), an error is returned. The caller of this method must build the chain in the proper order using the NPKI_CertChain class.

Parameters:

certChain - Certificate chain

flags - Certificate flags: (IN) Use one of the following flags:

• NPKI_VERIFY_NORMAL - (0x00000000)
• NPKI_VERIFY_DONT_CHECK_CERTIFICATE - (0x00000001)
• NPKI_VERIFY_DONT_CHECK_CRL - (0x00000002)

crlReason - (OUT) Returns an Integer indicating the reason why the certificate was revoked. This will only be set if the return code is set to PKI_E_CERT_INVALID. The possible values for are defined below:

• PKI_UNSPECIFIED PKI_UNSPECIFIED - No reason is specified for the revocation.
• PKI_KEY_COMPROMISED PKI_KEY_COMPROMISED - The certificate's private key has been compromised.
• PKI_CA_COMPROMISED PKI_CA_COMPROMISED - The Certificate Authority's private key has been compromised.
• {PKI_AFFILIATION_CHANGED PKI_AFFILIATION_CHANGED - The subject of the certificate is no longer affilated with the issuer of the certificate.
• PKI_SUPERSEDED PKI_SUPERSEDED - A new certificate has been issued.
• PKI_CESSATION_OF_OPERATION PKI_CESSATION_OF_OPERATION - The Certificate Authority is no longer operating.
• PKI_CERTIFICATE_HOLD PKI_CERTIFICATE_HOLD}- The certificate is temporarily on hold.
• PKI_REMOVE_FROM_CRL PKI_REMOVE_FROM_CRL - N/A
• PKI_PRIVILEDGE_WITHDRAWN PKI_PRIVILEDGE_WITHDRAWN - the subject of the certificate no longer has priviledges.
• PKI_AA_COMPROMISE PKI_AA_COMPROMISE - N/A

crlHoldInstruction - (OUT) If the certificate is invalid, and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL, and the crlReason is set to PKI_HOLD_INSTRUCTION_NONE then the hold instruction from the CRL will be returned in this parameter. The possible values for cRLHoldInstruction are:

• PKI_HOLD_INSTRUCTION_NONE - (0)
• PKI_HOLD_INSTRUCTION_CALL_ISSUER - (1)
• PKI_HOLD_INSTRUCTION_REJECT - (2)

crlRevocationTime - (OUT) Returns the time and date the certificate was revoked. This will only be set if the return code is set to PKI_E_CERT_INVALID.

crlInvalidityDateTime - (OUT) The time and date the CRL becomes invalid.

revokedCertificate - (OUT) A chain of the X.509 certificate(s) that were found to be on a CRL. This will only be set if the return code is set to PKI_E_CERT_INVALID.

certInvalidityReason - (OUT) Reason why the certificate is invalid. This will only be set if the return code is set to PKI_E_CERT_INVALID. The possible reasons why the certificate is invalid are defined below:

• NPKIx509CertificateValid - Indicates that the certificate is valid.
• NPKIx509Invalid_System_Error - Indicates there were some hardware problems or network problems.
• NPKIx509Invalid_Decode_Error - Indicates there was a problem decoding the certificate.
• NPKIx509Invalid_Subject_Issuer_Name - Indicates that the subject name of the issuing certificate does not match the issuer name of subject certificate.
• NPKIx509Invalid_Future - Indicates that the certificate's start date is in the future.
• NPKIx509Invalid_Expired - Indicates that the certificate has expired.
• NPKIx509Invalid_Issuer_Not_CA - Indicates that the issuer is not a valid CA (Certification Authority).
• NPKIx509Invalid_Path_Length - Indicates that the X.509 basic constraints path length has been violated.
• NPKIx509Invalid_Unknown_Critical_Extension - Indicates the certificate contained a critical extension that could not be understood.
• NPKIx509Invalid_KeyUsage - Indicates that the key does not support the requested usage.
• NPKIx509Invalid_CRL_Decode_Error - Indicates an error occurred during the decoding of the CRL (Certificate Revocation List).
• NPKIx509Invalid_Certificate_On_CRL - Indicates that one of the certificates in the chain is on a CRL (Certificate Revocation List).
• NPKIx509Invalid_Cant_Process_CDP - Indicates the certificate contained a distribution point that can not be processed.
• NPKIx509Invalid_Cant_Read_CRL - Indicates that the CRL could not be read.
• NPKIx509Invalid_Invalid_CRL - Indicates the CRL was not valid for this certificate.
• NPKIx509Invalid_Expired_CRL - Indicates the CRL has expired and a new one has not been issued.
• NPKIx509Invalid_CRL_Issuer_Name - Indicates that the issuer name of the CRL identified in the certificate does not match the issuer name in the actual CRL retrieved.
• NPKIx509Invalid_Issuer_Not_Trusted - Indicates that one of more of the CA certificates are not in the configured Trusted Root container.
• NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL - This is an advisory flag. The CDP (Certificate Distribution Point) exists but the CRL (Certificate Revocation List) was not checked because the caller of the API requested that it not be checked.
• NPKIx509Invalid_Invalid_Signature - Indicates that the cryptographic signiture does not match. Either an invalid key was used to encode the signurture or the signed data has been modified.
• NPKIx509Invalid_Algorithm_Not_Supported - Indicates that the cryptograhic algorithm is not supported.
• NPKIx509Invalid_Missing_Required_Extension - Indicates that a required extension is not present.
• NPKIx509Invalid_Extension_Not_Critical - Indicates that an extension which must be set to critical in order for the certificate to be valid is not set to critical.
• NPKIx509Invalid_Missing_Certificate_Policy - Indicates that a critical certificate policy is absent from a CA certificate.
• NPKIx509Invalid_OCSP_REVOKED - Indicates that the certificate has been revolked as reported by the OCSP server.
• NPKIx509Invalid_OCSP_ERROR - Indicates that either the OCSP server could not be reached, or there was an error with the OCSP response.
• NPKIx509Invalid_OCSP_UNKNOWN - Indicates that the OCSP server does not know the revocation status of the certificate.

crlCacheContext - (OUT) Reserved for future use. Pass a NULL.

Throws:

NPKI_Exception - Throws a NICI or PKI error code if not successful.

certificate

public int certificate(byte[] issuerCertificate,
                       byte[] subjectCertificate)
                throws NPKI_Exception

Determines if the specified subjectCertificate can be verified by the issuerCertificate. In this release certificate checks the following:

1. Issuer / Subject name agreement
2. Subject Validity dates are a subset of Issuer Validity dates
3. Validity dates are valid
4. Issuer certificate signed Subject certificate
5. Issuer is a CA
6. Path Length constraints have not been exceeded
7. Key Usage of issuer allows for certificate signing
8. Issuer's Critical Extensions are supported

NOTE: This API does not check certificate revocation. Use certificateChain for complete certificate verification

Parameters:

issuerCertificate - (IN) Certificate you wish to use to verify the subject certificate.

subjectCertificate - (IN) Subject certificate you wish to be verified.

Returns:

Reason the certificate was invalid.

Throws:

NPKI_Exception - Throws a NICI or PKI error code if not successful.

issuerSubjectNameMatch

public void issuerSubjectNameMatch(byte[] issuerCertificate,
                                   byte[] subjectCertificate)
                            throws NPKI_Exception

Determines if the specified subjectCertificate's issuer name matches the issuerCertificate's subject name. This API is a light-weight API that can be used to determine the order of a certificate chain.

Parameters:

issuerCertificate - (IN) Certificate you wish to use to verify the subject certificate.

subjectCertificate - (IN) Subject certificate you wish to verify.

Throws:

NPKI_Exception - Thrown if a PKI error occurs or if not successful.

verifySignatureWithCertificate

public void verifySignatureWithCertificate(byte[] data,
                                           int algorithmId,
                                           byte[] signature,
                                           byte[] certificate)
                                    throws NPKI_Exception

Determines if the specified signature of the data was signed by the private key matchingcertificate. This API is a designed to help determine the authenticy of signed data.

Parameters:

data - (IN) The original data.

algorithmId - (IN) The signing algorithm used in sign the data.

signature - (IN) The signature of the signed data.

certificate - (IN) The certificate to be used to verify the authenticy of the signature.

Throws:

NPKI_Exception - Thrown if a PKI error occurs or if the signature does not match.

verifyCertificatePrivateKeyAgreement

public void verifyCertificatePrivateKeyAgreement(byte[] certificate,
                                                 byte[] wrappedPrivateKey)
                                          throws NPKI_Exception

Determines if the public key contained in the certificate matches the wrappedPrivateKey. This API is a designed to help determine if the public key in the cerificate is the match pair to the private key.

Parameters:

certificate - (IN) The certificate containing the public key.

wrappedPrivateKey - (IN) The crytograhically wrapped private key. This key was crytograhically wrapped in the NICI storage key to protect it from disclosure.

Throws:

NPKI_Exception - Thrown if a PKI error occurs or if the keys do not match.