'\" te
.\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
.TH libkmf 3LIB "23 Aug 2011" "SunOS 5.11" "Interface Libraries"
.SH NAME
libkmf \- Key Management Framework library
.SH SYNOPSIS
.LP
.nf
cc [ \fIflag\fR... ] \fIfile\fR... \fB-lkmf\fR [ \fIlibrary\fR... ]
#include <kmfapi.h>
.fi

.SH DESCRIPTION
.sp
.LP
These functions comprise the Key Management Framework (KMF) library. They are intended to be used by applications that need to perform operations involving the creation and management of public key objects such as public/private key pairs, certificates, certificate signing requests, certificate validation, certificate revocation lists, and OCSP response processing.
.SS "Certificate to name mapping"
.sp
.LP
KMF provides a means to map a certificate to a name according to the configuration from the policy database or through the mapping initialization function. The functions that provide the mapping functionality are \fBkmf_cert_to_name_mapping_initialize()\fR, \fBkmf_cert_to_name_mapping_finalize()\fR, \fBkmf_map_cert_to_name()\fR, \fBkmf_match_cert_to_name()\fR, and \fBkmf_get_mapper_error_str()\fR. KMF provides different types of mapping through shared objects called mappers. Supported mappers are:
.sp
.ne 2
.mk
.na
\fB\fBcn\fR\fR
.ad
.RS 6n
.rt  
The CN mapper maps a certificate to its value from the Common Name attribute. All other certificate attributes are ignored. The mapper should be used in domains where the Common Name values are unique within the particular domain.
.sp
The mapper accepts only one option, the "case-sensitive" option which defaults to false. If set, the \fBkmf_match_cert_to_name()\fR function will honor the case sensitivity when comparing the mapped name with the name provided. The option has no effect on the \fBkmf_map_cert_to_name()\fR function.
.RE

.SH INTERFACES
.sp
.LP
The shared object \fBlibkmf.so.1\fR provides the public interfaces defined below. See \fBIntro\fR(3) for additional information on shared object interfaces.
.sp

.sp
.TS
tab();
lw(2.75i) lw(2.75i) 
lw(2.75i) lw(2.75i) 
.
\fBkmf_add_cert_eku\fR\fBkmf_add_csr_eku\fR
\fBkmf_add_policy_to_db\fR\fBkmf_build_pk12\fR
\fBkmf_cert_to_name_mapping_finalize\fR\fBkmf_cert_to_name_mapping_initialize\fR
\fBkmf_check_cert_date\fR\fBkmf_check_crl_date\fR
\fBkmf_compare_rdns\fR\fBkmf_configure_keystore\fR
\fBkmf_create_cert_file\fR\fBkmf_create_csr_file\fR
\fBkmf_create_keypair\fR\fBkmf_create_ocsp_request\fR
\fBkmf_create_sym_key\fR\fBkmf_decode_csr\fR
\fBkmf_decrypt\fR\fBkmf_delete_cert_from_keystore\fR
\fBkmf_delete_crl\fR\fBkmf_delete_key_from_keystore\fR
\fBkmf_delete_policy_from_db\fR\fBkmf_der_to_pem\fR
\fBkmf_dn_parser\fR\fBkmf_download_cert\fR
\fBkmf_download_crl\fR\fBkmf_ekuname_to_oid\fR
\fBkmf_encode_cert_record\fR\fBkmf_encrypt\fR
\fBkmf_export_pk12\fR\fBkmf_finalize\fR
\fBkmf_find_attr\fR\fBkmf_find_cert\fR
\fBkmf_find_cert_in_crl\fR\fBkmf_find_crl\fR
\fBkmf_find_key\fR\fBkmf_find_prikey_by_cert\fR
\fBkmf_free_algoid\fR\fBkmf_free_bigint\fR
\fBkmf_free_cert_chain\fR\fBkmf_free_crl_dist_pts\fR
\fBkmf_free_data\fR\fBkmf_free_dn\fR
\fBkmf_free_eku\fR\fBkmf_free_eku_policy\fR
\fBkmf_free_extn\fR\fBkmf_free_kmf_cert\fR
\fBkmf_free_kmf_key\fR\fBkmf_free_policy_record\fR
\fBkmf_free_raw_key\fR\fBkmf_free_raw_sym_key\fR
\fBkmf_free_signed_cert\fR\fBkmf_free_signed_csr\fR
\fBkmf_free_spki\fR\fBkmf_free_str\fR
\fBkmf_free_tbs_cert\fR\fBkmf_free_tbs_csr\fR
\fBkmf_get_attr\fR\fBkmf_get_attr_ptr\fR
\fBkmf_get_cert_auth_info_access\fR\fBkmf_get_cert_basic_constraint\fR
\fBkmf_get_cert_chain\fR\fBkmf_get_cert_crl_dist_pts\fR
\fBkmf_get_cert_eku\fR\fBkmf_get_cert_email_str\fR
\fBkmf_get_cert_end_date_str\fR\fBkmf_get_cert_extn\fR
\fBkmf_get_cert_extn_str\fR\fBkmf_get_cert_id_data\fR
\fBkmf_get_cert_id_str\fR\fBkmf_get_cert_issuer_str\fR
\fBkmf_get_cert_ku\fR\fBkmf_get_cert_policies\fR
\fBkmf_get_cert_pubkey_alg_str\fR\fBkmf_get_cert_pubkey_str\fR
\fBkmf_get_cert_serial_str\fR\fBkmf_get_cert_sig_alg_str\fR
\fBkmf_get_cert_start_date_str\fR\fBkmf_get_cert_subject_str\fR
\fBkmf_get_cert_validity\fR\fBkmf_get_cert_version_str\fR
\fBkmf_get_cert_pubkey_id_data\fR\fBkmf_get_cert_pubkey_id_str\fR
\fBkmf_get_data_format\fR\fBkmf_get_encoded_ocsp_response\fR
\fBkmf_get_file_format\fR\fBkmf_get_kmf_error_str\fR
\fBkmf_get_mapper_error_str\fR\fBkmf_get_mapper_lasterror\fR
\fBkmf_get_mapper_options\fR\fBkmf_get_ocsp_for_cert\fR
\fBkmf_get_ocsp_status_for_cert\fR\fBkmf_get_pk11_handle\fR
\fBkmf_get_plugin_error_str\fR\fBkmf_get_policy\fR
\fBkmf_get_string_attr\fR\fBkmf_get_sym_key_value\fR
\fBkmf_hexstr_to_bytes\fR\fBkmf_import_crl\fR
\fBkmf_import_cert\fR\fBkmf_import_objects\fR
\fBkmf_initialize\fR\fBkmf_is_cert_data\fR
\fBkmf_is_cert_file\fR\fBkmf_is_crl_file\fR
\fBkmf_ku_to_string\fR\fBkmf_list_crl\fR
\fBkmf_map_cert_to_name\fR\fBkmf_match_cert_to_name\fR
\fBkmf_oid_to_ekuname\fR\fBkmf_oid_to_string\fR
\fBkmf_pem_to_der\fR\fBkmf_pk11_token_lookup\fR
\fBkmf_read_input_file\fR\fBkmf_select_token\fR
\fBkmf_set_attr\fR\fBkmf_set_attr_at_index\fR
\fBkmf_set_cert_basic_constraint\fR\fBkmf_set_cert_extn\fR
\fBkmf_set_cert_issuer\fR\fBkmf_set_cert_issuer_altname\fR
\fBkmf_set_cert_ku\fR\fBkmf_set_cert_pubkey\fR
\fBkmf_set_cert_serial\fR\fBkmf_set_cert_sig_alg\fR
\fBkmf_set_cert_subject\fR\fBkmf_set_cert_subject_altname\fR
\fBkmf_set_cert_validity\fR\fBkmf_set_cert_version\fR
\fBkmf_set_cert_spk_id\fR\fBkmf_set_csr_extn\fR
\fBkmf_set_csr_ku\fR\fBkmf_set_csr_pubkey\fR
\fBkmf_set_csr_sig_alg\fR\fBkmf_set_csr_subject\fR
\fBkmf_set_csr_subject_altname\fR\fBkmf_set_csr_version\fR
\fBkmf_set_mapper_lasterror\fR\fBkmf_set_mapper_options\fR
\fBkmf_set_policy\fR\fBkmf_set_token_pin\fR
\fBkmf_sign_cert\fR\fBkmf_sign_csr\fR
\fBkmf_sign_data\fR\fBkmf_store_cert\fR
\fBkmf_store_key\fR\fBkmf_string_to_ku\fR
\fBkmf_string_to_oid\fR\fBkmf_validate_cert\fR
\fBkmf_verify_cert\fR\fBkmf_verify_crl_file\fR
\fBkmf_verify_csr\fR\fBkmf_verify_data\fR
\fBkmf_verify_policy\fR
.TE

.SH EXAMPLES
.LP
\fBExample 1 \fRConfiguring the certificate to name mapping.
.sp
.LP
The following example configures the default certificate to name  mapping to use the CN mapper while ignoring the case sensitivity when matching the certificates.

.sp
.in +2
.nf
$ kmfcfg modify policy=default mapper-name=cn \e
     mapper-options=casesensitive
.fi
.in -2
.sp

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/lib/libkmf.so.1\fR\fR
.ad
.RS 27n
.rt  
shared object
.RE

.sp
.ne 2
.mk
.na
\fB\fB/lib/64/libkmf.so.1\fR\fR
.ad
.RS 27n
.rt  
64-bit shared object
.RE

.sp
.ne 2
.mk
.na
\fB\fB/usr/include/kmfapi.h\fR\fR
.ad
.RS 27n
.rt  
KMF function definitions
.RE

.sp
.ne 2
.mk
.na
\fB\fB/usr/include/kmftypes.h\fR\fR
.ad
.RS 27n
.rt  
KMF structures and types.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
Interface StabilityCommitted
_
MT-LevelSafe
.TE

.SH SEE ALSO
.sp
.LP
\fBkmfcfg\fR(1), \fBpktool\fR(1), \fBattributes\fR(5)
.sp
.LP
\fIDeveloper\&'s Guide to Oracle Solaris 11 Security\fR