TP_CrlSign(3)TP_CrlSign(3)NAME
TP_CrlSign, CSSM_TP_CrlSign - Determine if signer certificate is
trusted (CDSA)
SYNOPSIS
# include <cdsa/cssm.h>
API: CSSM_RETURN CSSMAPI CSSM_TP_CrlSign (CSSM_TP_HANDLE TPHandle,
CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const
CSSM_ENCODED_CRL *CrlToBeSigned, const CSSM_CERTGROUP *SignerCertGroup,
const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, CSSM_TP_VERIFY_CON‐
TEXT_RESULT_PTR SignerVerifyResult, CSSM_DATA_PTR SignedCrl) SPI:
CSSM_RETURN CSSMTPI TP_CrlSign (CSSM_TP_HANDLE TPHandle, CSSM_CL_HANDLE
CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_ENCODED_CRL *CrlToBe‐
Signed, const CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VER‐
IFY_CONTEXT *SignerVerifyContext, CSSM_TP_VERIFY_CONTEXT_RESULT_PTR
SignerVerifyResult, CSSM_DATA_PTR SignedCrl)
LIBRARY
Common Security Services Manager library (libcssm.so)
PARAMETERS
The handle that describes the add-in trust policy module used to per‐
form this function. The handle that describes the add-in certificate
library module that can be used to manipulate the certificates to be
verified. If no certificate library module is specified, the TP module
uses an assumed CL module, if required. The handle that describes the
cryptographic context for signing the CRL. This context also identifies
the cryptographic service provider to be used to perform the signing
operation. If this handle is not provided by the caller, the trust pol‐
icy module can assume a default signing algorithm and a default CSP. If
the trust policy module does not assume defaults or the default CSP is
not available on the local system an error occurs. A pointer to the
CSSM_DATA structure containing a certificate revocation list to be
signed. A pointer to the CSSM_CERTGROUP structure containing one or
more related certificates that partially or fully represent the signer
of the certificate revocation list. The first certificate in the group
is the target certificate representing the CRL signer. Use of subse‐
quent certificates is specific to the trust domain. For example, in a
hierarchical trust model subsequent members are intermediate certifi‐
cates of a certificate chain. A structure containing credentials, pol‐
icy information, and contextual information to be used in the verifica‐
tion process. All of the input values in the context are optional. The
service provider can define default values or can attempt to operate
without input for all the other fields of this input structure. The
operation can fail if a necessary input value is omitted and the ser‐
vice module can not define an appropriate default value. A pointer to
a structure containing information generation during the verification
process. The information can include:
Evidence .PP (output/optional)
NumberOfEvidences .PP (output/optional)
A pointer to the CSSM_DATA structure containing the signed cer‐
tificate revocation list. The SignedCrl->Data is allocated by
the service provider and must be deallocated by the application.
DESCRIPTION
The TP module decides whether the signer certificate is trusted to sign
the entire certificate revocation list. The signer certificate group is
first authenticated and its applicability to perform this operation is
determined. Once the trust is established, this operation signs the
entire certificate revocation list. Individual records within the cer‐
tificate revocation list were signed when they were added to the list.
The caller must provide a credential that permits the caller to use the
private key for this signing operation. The credential can be provided
in the cryptographic context CCHandle. If CCHandle is NULL, the creden‐
tials in the SignerVerifyContext specify the credential value.
RETURN VALUE
A CSSM_RETURN value indicating success or specifying a particular error
condition. The value CSSM_OK indicates success. All other values repre‐
sent an error condition.
ERRORS
Errors are described in the CDSA technical standard. See
CDSA_intro(3). CSSMERR_TP_INVALID_CL_HANDLE CSSMERR_TP_INVALID_CON‐
TEXT_HANDLE CSSMERR_TP_INVALID_CRL_TYPE CSSMERR_TP_INVALID_CRL_ENCODING
CSSMERR_TP_INVALID_CRL_POINTER CSSMERR_TP_INVALID_CRL CSS‐
MERR_TP_INVALID_CERTGROUP_POINTER CSSMERR_TP_INVALID_CERTGROUP CSS‐
MERR_TP_INVALID_CERTIFICATE CSSMERR_TP_INVALID_ACTION CSS‐
MERR_TP_INVALID_ACTION_DATA CSSMERR_TP_VERIFY_ACTION_FAILED CSS‐
MERR_TP_INVALID_CRLGROUP_POINTER CSSMERR_TP_INVALID_CRLGROUP CSS‐
MERR_TP_INVALID_CRL_AUTHORITY CSSMERR_TP_INVALID_CALLERAUTH_CON‐
TEXT_POINTER CSSMERR_TP_INVALID_POLICY_IDENTIFIERS CSS‐
MERR_TP_INVALID_TIMESTRING CSSMERR_TP_INVALID_STOP_ON_POLICY CSS‐
MERR_TP_INVALID_CALLBACK CSSMERR_TP_INVALID_ANCHOR_CERT CSS‐
MERR_TP_CERTGROUP_INCOMPLETE CSSMERR_TP_INVALID_DL_HANDLE CSS‐
MERR_TP_INVALID_DB_HANDLE CSSMERR_TP_INVALID_DB_LIST_POINTER CSS‐
MERR_TP_INVALID_DB_LIST CSSMERR_TP_AUTHENTICATION_FAILED CSS‐
MERR_TP_INSUFFICIENT_CREDENTIALS CSSMERR_TP_NOT_TRUSTED CSS‐
MERR_TP_CERT_REVOKED CSSMERR_TP_CERT_SUSPENDED CSSMERR_TP_CERT_EXPIRED
CSSMERR_TP_CERT_NOT_VALID_YET CSSMERR_TP_INVALID_CERT_AUTHORITY CSS‐
MERR_TP_INVALID_SIGNATURE CSSMERR_TP_INVALID_NAME CSSMERR_TP_CERTIFI‐
CATE_CANT_OPERATE
SEE ALSO
Books
Intel CDSA Application Developer's Guide (see CDSA_intro(3))
Reference Pages
Functions for the CSSM API:
CSSM_CL_CrlSign(3)
Functions for the TP SPI:
CL_CrlSign(3)TP_CrlSign(3)