TP_CrlSign, CSSM_TP_CrlSign - Determine if signer certificate
is trusted (CDSA)
# include <cdsa/cssm.h>
API: CSSM_RETURN CSSMAPI CSSM_TP_CrlSign (CSSM_TP_HANDLE
TPHandle, CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle,
const CSSM_ENCODED_CRL *CrlToBeSigned, const
CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VERIFY_CONTEXT
*SignerVerifyContext, CSSM_TP_VERIFY_CONTEXT_RESULT_PTR
SignerVerifyResult, CSSM_DATA_PTR SignedCrl)
SPI: CSSM_RETURN CSSMTPI TP_CrlSign (CSSM_TP_HANDLE
TPHandle, CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle,
const CSSM_ENCODED_CRL *CrlToBeSigned, const
CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VERIFY_CONTEXT
*SignerVerifyContext, CSSM_TP_VERIFY_CONTEXT_RESULT_PTR
SignerVerifyResult, CSSM_DATA_PTR SignedCrl)
Common Security Services Manager library (libcssm.so)
The handle that describes the add-in trust policy module
used to perform this function. The handle that describes
the add-in certificate library module that can be used to
manipulate the certificates to be verified. If no certificate
library module is specified, the TP module uses an
assumed CL module, if required. The handle that describes
the cryptographic context for signing the CRL. This context
also identifies the cryptographic service provider to
be used to perform the signing operation. If this handle
is not provided by the caller, the trust policy module can
assume a default signing algorithm and a default CSP. If
the trust policy module does not assume defaults or the
default CSP is not available on the local system an error
occurs. A pointer to the CSSM_DATA structure containing a
certificate revocation list to be signed. A pointer to
the CSSM_CERTGROUP structure containing one or more
related certificates that partially or fully represent the
signer of the certificate revocation list. The first certificate
in the group is the target certificate representing
the CRL signer. Use of subsequent certificates is specific
to the trust domain. For example, in a hierarchical
trust model subsequent members are intermediate certificates
of a certificate chain. A structure containing credentials,
policy information, and contextual information
to be used in the verification process. All of the input
values in the context are optional. The service provider
can define default values or can attempt to operate without
input for all the other fields of this input structure.
The operation can fail if a necessary input value is
omitted and the service module can not define an appropriate
default value. A pointer to a structure containing
information generation during the verification process.
The information can include:
Evidence .PP (output/optional)
NumberOfEvidences .PP (output/optional)
A pointer to the CSSM_DATA structure containing the
signed certificate revocation list. The SignedCrl->Data
is allocated by the service provider and
must be deallocated by the application.
The TP module decides whether the signer certificate is
trusted to sign the entire certificate revocation list.
The signer certificate group is first authenticated and
its applicability to perform this operation is determined.
Once the trust is established, this operation signs the
entire certificate revocation list. Individual records
within the certificate revocation list were signed when
they were added to the list. The caller must provide a
credential that permits the caller to use the private key
for this signing operation. The credential can be provided
in the cryptographic context CCHandle. If CCHandle
is NULL, the credentials in the SignerVerifyContext specify
the credential value.
A CSSM_RETURN value indicating success or specifying a
particular error condition. The value CSSM_OK indicates
success. All other values represent an error condition.
Errors are described in the CDSA technical standard. See
CDSA_intro(3). CSSMERR_TP_INVALID_CL_HANDLE CSSMERR_TP_INVALID_CONTEXT_HANDLE
CSSMERR_TP_INVALID_CRL_TYPE
CSSMERR_TP_INVALID_CRL_ENCODING CSSMERR_TP_INVALID_CRL_POINTER
CSSMERR_TP_INVALID_CRL CSSMERR_TP_INVALID_CERTGROUP_POINTER
CSSMERR_TP_INVALID_CERTGROUP
CSSMERR_TP_INVALID_CERTIFICATE CSSMERR_TP_INVALID_ACTION
CSSMERR_TP_INVALID_ACTION_DATA CSSMERR_TP_VERIFY_ACTION_FAILED
CSSMERR_TP_INVALID_CRLGROUP_POINTER
CSSMERR_TP_INVALID_CRLGROUP CSSMERR_TP_INVALID_CRL_AUTHORITY
CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER
CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
CSSMERR_TP_INVALID_TIMESTRING CSSMERR_TP_INVALID_STOP_ON_POLICY
CSSMERR_TP_INVALID_CALLBACK
CSSMERR_TP_INVALID_ANCHOR_CERT CSSMERR_TP_CERTGROUP_INCOMPLETE
CSSMERR_TP_INVALID_DL_HANDLE CSSMERR_TP_INVALID_DB_HANDLE
CSSMERR_TP_INVALID_DB_LIST_POINTER
CSSMERR_TP_INVALID_DB_LIST
CSSMERR_TP_AUTHENTICATION_FAILED CSSMERR_TP_INSUFFICIENT_CREDENTIALS
CSSMERR_TP_NOT_TRUSTED CSSMERR_TP_CERT_REVOKED
CSSMERR_TP_CERT_SUSPENDED CSSMERR_TP_CERT_EXPIRED
CSSMERR_TP_CERT_NOT_VALID_YET CSSMERR_TP_INVALID_CERT_AUTHORITY
CSSMERR_TP_INVALID_SIGNATURE
CSSMERR_TP_INVALID_NAME CSSMERR_TP_CERTIFICATE_CANT_OPERATE
Books
Intel CDSA Application Developer's Guide (see
CDSA_intro(3))
Reference Pages [Toc] [Back]
Functions for the CSSM API:
CSSM_CL_CrlSign(3)
Functions for the TP SPI:
CL_CrlSign(3)
TP_CrlSign(3)
[ Back ] | 