Library /sys$common/syshlp/helplib.hlb  —  CDSA  CDSA_API, TP CertGroupConstruct
 NAME
   TP_CertGroupConstruct,
   CSSM_TP_CertGroupConstruct - Construct credential (CDSA)

 SYNOPSIS
   # include <cssm.h>

    API:
        CSSM_RETURN CSSMAPI CSSM_TP_CertGroupConstruct
        (CSSM_TP_HANDLE TPHandle,
        CSSM_CL_HANDLE CLHandle,
        CSSM_CSP_HANDLE CSPHandle,
        const CSSM_DL_DB_LIST *DBList,
        const void *ConstructParams,
        const CSSM_CERTGROUP *CertGroupFrag,
        CSSM_CERTGROUP_PTR *CertGroup)
    SPI:
        CSSM_RETURN CSSMTPI TP_CertGroupConstruct
        (CSSM_TP_HANDLE TPHandle,
        CSSM_CL_HANDLE CLHandle,
        CSSM_CSP_HANDLE CSPHandle,
        const CSSM_DL_DB_LIST *DBList,
        const void *ConstructParams,
        const CSSM_CERTGROUP *CertGroupFrag,
        CSSM_CERTGROUP_PTR *CertGroup)

 LIBRARY
   Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

 PARAMETERS
   TPHandle (input)
           The handle to the trust policy module to perform this
           operation.

   CLHandle (input/optional)
           The handle to the certificate library module that can be used
           to manipulate and parse values in stored in the certgroup
           certificates. If no certificate library module is specified,
           the TP module uses an assumed CL module.

   CSPHandle (input./optional)
           A handle specifying the Cryptographic Service Provider to be
           used to verify certificates as the certificate group is
           constructed. If the a CSP handle is not specified, the trust
           policy module can assume a default CSP. If the module cannot
           assume a default, or the default CSP is not available on the
           local system, an error occurs.

   DBList (input)
           A list of handle pairs specifying a data storage library
           module and a data store, identifying certificate databases
           containing certificates (and possibly other security objects)
           that are managed by that module. certificates (and possibly
           other security objects).  The data stores should be searched
           to complete construction of a semantically-related certificate
           group.

   ConstructParams (input/optional)
           A pointer to data that can be used by the add-in trust
           policy module in constructing the CertGroup.  The semantics
           of this parameter are defined by the trust policy and the
           credential model supported by that policy. The input
           parameter can consist of a set of values, each guiding some
           aspect of the construction process. Parameter values can:

             · Limit the certificates that are added to the constructed
               set.

             · Identify other sources of certificates for inclusion in
               the constructed set.

   CertGroupFrag (input)
           A list of certificates that form a possibly incomplete
           set of certificates. The first certificate in the group
           represents the target certificate for which a group of
           semantically related certificates will be assembled.
           Subsequent intermediate certificates can be supplied by
           the caller.  They need not be in any particular order.

   CertGroup (output)
           A pointer to a complete certificate group based on the
           original subset of certificates and the certificate data
           stores. The CSSM_CERTGROUP and its sub-structure is
           allocated by the service provider and must be deallocated
           by the application.

 DESCRIPTION
   This function builds a collection of certificates that together
   make up a meaningful credential for a given trust domain. For
   example, in a hierarchical trust domain, a certificate group is a
   chain of certificates from an end entity to a top level certification
   authority. The constructed certificate group format (such as
   ordering) is implementation specific.  However, the subject or
   end-entity is always the first certificate in the group.

   A partially constructed certificate group is specified in
   CertGroupFrag.  The first certificate is interpreted to be the
   subject or end-entity certificate. Subsequent certificates in
   the CertGroupFrag structure may be used during the construction
   of a certificate group in conjunction with certificates found in
   the data stores specified in DBList. The trust policy defines the
   certificates that will be included in the resulting set.

   The output set is a sequence of certificates ordered by the
   relationship among them. The result set can be augmented by adding
   semantically-related certificates obtained by searching the
   certificate data stores specified in DBList. The data stores are
   searched in order of appearance in DBList. If the TP supports a
   hierarchical model of certificates, the function output is an
   uninterrupted, ordered chain of certificates based on the first
   certificate as the leaf of the certificate chain. If the certificate
   is multiply-signed, then the ordered chain will follow the first
   signing certificate.  The function should also detect cross-
   certificate pairs and should include both certificates without
   duplicating either certificate.

   Extraneous certificates in the CertGroupFrag fragment or contained
   in the DBList data stores are ignored. The certificate group returned
   by this function can be used as input to the function
   CSSM_TP_CertGroupVerify() (CSSM API), or TP_CertGroupVerify() (TP SPI).

   The constructed certificate group can be consistent locally or
   globally.  Consistency can be limited to the local system if locally-
   defined points of trust are inserted into the group.

 RETURN VALUE
   A CSSM_RETURN value indicating success or specifying a particular
   error condition. The value CSSM_OK indicates success. All other
   values represent an error condition.

 ERRORS
   Errors are described in the CDSA technical standard.  See CDSA.

        CSSMERR_TP_INVALID_CL_HANDLE
        CSSMERR_TP_INVALID_CSP_HANDLE
        CSSMERR_TP_INVALID_DL_HANDLE
        CSSMERR_TP_INVALID_DB_HANDLE
        CSSMERR_TP_INVALID_DB_LIST_POINTER
        CSSMERR_TP_INVALID_DB_LIST
        CSSMERR_TP_INVALID_CERTGROUP_POINTER
        CSSMERR_TP_INVALID_CERTGROUP
        CSSMERR_TP_INVALID_CERTIFICATE
        CSSMERR_TP_CERTGROUP_INCOMPLETE

 SEE ALSO
   Books

   Intel CDSA Application Developer's Guide (see CDSA)

   Other Help Topics

   Functions for the CSSM API:

       CSSM_TP_CertGroupPrune
       CSSM_TP_CertGroupVerify

   Functions for the TP SPI:

       TP_CertGroupPrune
       TP_CertGroupVerify
Close Help