NAME TP_CertSign, CSSM_TP_CertSign - Determine if signer certificate is trusted (CDSA) SYNOPSIS # include <cssm.h> API: CSSM_RETURN CSSMAPI CSSM_TP_CertSign (CSSM_TP_HANDLE TPHandle, CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CertTemplateToBeSigned, const CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult, CSSM_DATA_PTR SignedCert) SPI: CSSM_RETURN CSSMTPI TP_CertSign (CSSM_TP_HANDLE TPHandle, CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle, const CSSM_DATA *CertTemplateToBeSigned, const CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult, CSSM_DATA_PTR SignedCert) LIBRARY Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE) PARAMETERS TPHandle (input) The handle that describes the add-in trust policy module used to perform this function. CLHandle (input/optional) The handle that describes the add-in certificate library module used to perform this function. CCHandle (input/optional) The handle that describes the cryptographic context for signing the certificate. This context also identifies the cryptographic service provider to be used to perform the signing operation. If this handle is not provided by the caller, the trust policy module can assume a default signing algorithm and a default CSP. If the trust policy module does not assume defaults or the default CSP is not available on the local system, an error occurs. CertTemplateToBeSigned (input) A pointer to a structure containing a certificte template to be signed. The CRL type and encoded are included in this structure. SignerCertGroup (input) A group of one or more certificates that partially or fully represent the signer for this operation. The first certificate in the group is the target certificate representing the signer. Use of subsequent certificates is specific to the trust domain. For example, in a hierarchical trust model subsequent members are intermediate certificates of a certificate chain. SignerVerifyContext (input/optional) A structure containing credentials, policy information, and contextual information to be used in the verification process. All of the input values in the context are optional. The service provider can define default values or can attempt to operate without input for all the other fields of this input structure. The operation can fail if a necessary input value is omitted and the service module can not define an appropriate default value. SignerVerifyResult (output/optional) A pointer to a structure containing information generated during the verification process. The information can include: Evidence (output/optional) NumberOfEvidences (output/optional) SignedCert (output) A pointer to the CSSM_DATA structure containing the signed certificate. The SignedCert->Data is allocated by the service provider and must be deallocated by the application. DESCRIPTION The TP module decides whether the signer certificate is trusted to sign the CertTemplateToBeSigned. The signer certificate group is first authenticated and its applicability to perform this operation is determined. Once the trust is established, this operation signs the entire certificate. The caller must provide a credential that permits the caller to use the private key for this signing operation. The credential can be provided in the cryptographic context CCHandle. If CCHandle is NULL, the credentials in the SignerVerifyContext specify the credential value. RETURN VALUE A CSSM_RETURN value indicating success or specifying a particular error condition. The value CSSM_OK indicates success. All other values represent an error condition. ERRORS Errors are described in the CDSA technical standard. See CDSA. CSSMERR_TP_INVALID_CL_HANDLE CSSMERR_TP_INVALID_CONTEXT_HANDLE CSSMERR_TP_INVALID_CERTGROUP_POINTER CSSMERR_TP_INVALID_CERTGROUP CSSMERR_TP_INVALID_CERTIFICATE CSSMERR_TP_UNKNOWN_FORMAT CSSMERR_TP_INVALID_ACTION CSSMERR_TP_INVALID_ACTION_DATA CSSMERR_TP_VERIFY_ACTION_FAILED CSSMERR_TP_INVALID_CRLGROUP_POINTER CSSMERR_TP_INVALID_CRLGROUP CSSMERR_TP_INVALID_CRL_AUTHORITY CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER CSSMERR_TP_INVALID_POLICY_IDENTIFIERS CSSMERR_TP_INVALID_TIMESTRING CSSMERR_TP_INVALID_STOP_ON_POLICY CSSMERR_TP_INVALID_CALLBACK CSSMERR_TP_INVALID_ANCHOR_CERT CSSMERR_TP_CERTGROUP_INCOMPLETE CSSMERR_TP_INVALID_DL_HANDLE CSSMERR_TP_INVALID_DB_HANDLE CSSMERR_TP_INVALID_DB_LIST_POINTER CSSMERR_TP_INVALID_DB_LIST CSSMERR_TP_AUTHENTICATION_FAILED CSSMERR_TP_INSUFFICIENT_CREDENTIALS CSSMERR_TP_NOT_TRUSTED CSSMERR_TP_CERT_REVOKED CSSMERR_TP_CERT_SUSPENDED CSSMERR_TP_CERT_EXPIRED CSSMERR_TP_CERT_NOT_VALID_YET CSSMERR_TP_INVALID_CERT_AUTHORITY CSSMERR_TP_INVALID_SIGNATURE CSSMERR_TP_INVALID_NAME CSSMERR_TP_CERTIFICATE_CANT_OPERATE SEE ALSO Books Intel CDSA Application Developer's Guide (see CDSA) Other Help Topics Functions for the CSSM API: CSSM_TP_CertCreateTemplate CSSM_TP_CrlSign Functions for the TP SPI: TP_CertCreateTemplate TP_CrlSign