Oracle Cryptographic Toolkit Programmer's Guide Release 2.0.3 A54082-01 |
|
This chapter describes each Oracle Call Interface (OCI) function in the Oracle Cryptographic Toolkit. Each OCI function description contains the following information:
Refer to Chapter 2, OCI Programming Basics, in the Programmer's Guide to the Oracle Call InterfaceTM for an overview of the steps involved in calling OCI functions.
Refer to Appendix B, "OCI - API Mappings" for a list of OCI functions and the API functions to which they map.
Purpose
OCISecurityInitialize must be called after the user gets a security handle but before any security function is called.
Error handles are passed as parameters to OCI calls. Error handles are allocated at the beginning of an OCI application. The following handles are passed:
Handle Type | Handle Name |
---|---|
OCISecurity |
osshandle |
OCIError |
error_handle |
OCISecurityTerminate must be called after the user has finished using the security routines.
Following is a list of parameters and their descriptions.
Parameter Name | Description |
---|---|
OCISecurity |
osshandle |
OCIError |
error_handle |
OCISecurityOpenWallet opens a wallet based on the wallet resource locator (WRL).
Following is a list of parameters, their descriptions, modes, and types.
Defaults: The platform specific WRL default is used when the WRL is NZT_DEFAULT_WRL. Use the WRL type specific default (e.g., "oracle:") when only the wallet type is specified.
A wallet is opened and its password is verified by hashing it and comparing the result with the password hash stored with the wallet. The list of personas and their associated identities is built and stored into the wallet structure.
Implication: An Oracle based wallet can be implemented either in a user's private space or in world readable space.
OCISecurityCloseWallet closes a wallet based on the wallet resource locator (WRL).
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
wallet |
Initialized wallet structure |
[IN] |
nzttWallet |
Closing a wallet also closes all personas associated with that wallet. Any changes you have made to the persona will not automatically be saved.
Implication: An application can modify a persona, but the persona will revert to what it was in the wallet if it is not explicitly saved.
OCISecurityOpenPersona opens a persona in a wallet.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
persona |
Persona |
{IN/OUT} |
nzttPersona |
A persona must be selected and opened before a cryptographic engine function can be used. The opened persona then initializes the protection set to either the system defaults or persona specific preferences. The opened persona also contains and maintains any state information necessary for the cryptographic engine functions.
Following is a list of some of the possible error codes returned by this function.
Error | Explanation |
---|---|
NZERROR_TK_PASSWORD |
Password failed to decrypt persona |
NZERROR_TK_BADPRL |
Persona resource locator did not work |
NZERROR_RIO_OPEN |
Could not open persona (see network trace file) |
OCISecurityClosePersona closes a persona in a wallet.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
persona |
Persona |
{IN/OUT} |
nzttPersona |
A persona is not stored when it is closed: it only releases the memory associated with the crypto engine.
Following is a list of some of the possible error codes returned by this function.
OCISecuritySign creates an attached signature.
Following is a list of parameters, their descriptions, modes, and types.
This function generates a signature that consists of a cryptographic checksum of the data to be signed: encrypted with the private key of the signing persona. The original data is then attached to the signature.
OCISecurityVerify verifies an attached signature.
Following is a list of parameters, their descriptions, modes, and types.
The data from the attached signature is used to generate a cryptographic checksum.
Then the signature part of the attached signature is decrypted using the signing identity's public key. The two checksums are then compared to verify they are identical. The signing identity is also validated to verify that it can be trusted and that it has not expired.
Following is a list of some of the possible error codes returned by this function.
Error | Explanation |
---|---|
NZERROR_TK_CANTGROW |
Needed to grow output buffer but could not |
NZERROR_TK_NOTOPEN |
Persona is not open |
NZERROR_TK_NOTSUPP |
Function not supported with persona |
OCISecurityValidate validates an identity.
Following is a list of parameters, their descriptions, modes, and types.
An identity is validated for trust and to verify that it has not expired.
Following is a list of some of the possible error codes returned by this function.
Error | Explanation |
---|---|
NZERROR_TK_NOTOPEN |
Persona is not open |
NZERROR_TK_NOTSUPP |
Function not supported with persona |
OCISecuritySignDetached generates a detached signature.
Following is a list of parameters, their descriptions, modes, and types.
The function is identical to OCISecuritySign, but the data to be signed is not attached to the signature. It generates a signature that consists of a cryptographic checksum of the data to be signed: encrypted with the private key of the signing persona.
Following is a list of some of the possible error codes returned by this function.
Error | Explanation |
---|---|
NZERROR_TK_NOTSUPP |
Function not supported with persona |
OCISecurityVerifyDetached verifies a detached signature.
Following is a list of parameters, their descriptions, modes, and types.
This function is identical to OCISecurityVerify, except the signature does not contain the data that will allow it to be verified. The data is provided by the application calling the function.
Following is a list of some of the possible error codes returned by this function.
Error | Explanation |
---|---|
NZERROR_TK_NOTOPEN |
Persona is not open |
NZERROR_TK_NOTSUPP |
Function not supported with persona |
OCISecurityHash generates a hash.
Following is a list of parameters, their descriptions, modes, and types.
This hash is a cryptographic hash, or checksum, of the input.
Following is a list of some of the possible error codes returned by this function.
Error | Explanation |
---|---|
NZERROR_TK_NOTSUPP |
Function not supported with persona |
OCISecuritySeedRandom supplies a seed to the Oracle Cryptographic Toolkit.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
persona |
|
|
nzttPersona |
seed_length |
|
|
size_t |
seed |
|
|
ub1 |
OCISecurityRandomBytes generates a buffer block for random bytes.
Following is a list of parameters, their descriptions, modes, and types.
OCISecurityRandomNumber generates a random number.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
persona |
Persona |
{IN} |
nzttPersona |
random_number_ptr |
Number |
{OUT} |
uword |
OCISecurityInitBlock initializes a buffer block.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
buffer_block |
Buffer block |
{IN/OUT} |
nzttBufferBlock |
The buffer block is initialized to be empty (all members are set to zero/NULL). This block is allocated to memory as needed.
OCISecurityReuseBlock reuses a previously initialized, and possibly used, block.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
buffer_block |
Buffer block |
{IN/OUT} |
nzttBufferBlock |
This function sets the used length member of the buffer block to zero (0). It will cause a block to be reused if it already has memory allocated to it.
OCISecurityPurgeBlock purges a buffer block of its memory.
Following is a list of parameters, their descriptions, modes, and types.
Parameter Name | Description | Mode | Type |
---|---|---|---|
OCISecurity |
osshandle |
|
|
OCIError |
error_handle |
|
|
buffer_block |
Buffer block |
{IN/OUT} |
nzttBufferBlock |
This command affects only the memory used by the buffer. It does not affect the block itself.
OCISecuritySetBlock sets a buffer block to a known state.
Following is a list of parameters, their descriptions, modes, and types.
This function allocates memory is allocated and stores a pointer in the buffer block.