NAME
TP_CrlSign,
CSSM_TP_CrlSign - Determine if signer certificate is trusted (CDSA)
SYNOPSIS
# include <cssm.h>
API:
CSSM_RETURN CSSMAPI CSSM_TP_CrlSign
(CSSM_TP_HANDLE TPHandle,
CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_ENCODED_CRL *CrlToBeSigned,
const CSSM_CERTGROUP *SignerCertGroup,
const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult,
CSSM_DATA_PTR SignedCrl)
SPI:
CSSM_RETURN CSSMTPI TP_CrlSign
(CSSM_TP_HANDLE TPHandle,
CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle,
const CSSM_ENCODED_CRL *CrlToBeSigned,
const CSSM_CERTGROUP *SignerCertGroup,
const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult,
CSSM_DATA_PTR SignedCrl)
LIBRARY
Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)
PARAMETERS
TPHandle (input)
The handle that describes the add-in trust policy module
used to perform this function.
CLHandle (input/optional)
The handle that describes the add-in certificate library
module that can be used to manipulate the certificates to
be verified. If no certificate library module is specified,
the TP module uses an assumed CL module, if required.
CCHandle (input/optional)
The handle that describes the cryptographic context for signing
the CRL. This context also identifies the cryptographic service
provider to be used to perform the signing operation. If this
handle is not provided by the caller, the trust policy module
can assume a default signing algorithm and a default CSP. If
the trust policy module does not assume defaults or the default
CSP is not available on the local system an error occurs.
CrlToBeSigned (input)
A pointer to the CSSM_DATA structure containing a certificate
revocation list to be signed.
SignerCertGroup (input)
A pointer to the CSSM_CERTGROUP structure containing one or
more related certificates that partially or fully represent
the signer of the certificate revocation list. The first
certificate in the group is the target certificate
representing the CRL signer. Use of subsequent certificates
is specific to the trust domain. For example, in a
hierarchical trust model subsequent members are intermediate
certificates of a certificate chain.
SignerVerifyContext (input/optional)
A structure containing credentials, policy information, and
contextual information to be used in the verification process.
All of the input values in the context are optional. The
service provider can define default values or can attempt to
operate without input for all the other fields of this input
structure. The operation can fail if a necessary input value
is omitted and the service module can not define an
appropriate default value.
SignerVerifyResult (output/optional)
A pointer to a structure containing information generation
during the verification process. The information can include:
Evidence (output/optional)
NumberOfEvidences (output/optional)
SignedCrl (output)
A pointer to the CSSM_DATA structure containing the signed
certificate revocation list. The SignedCrl->Data is allocated
by the service provider and must be deallocated by the
application.
DESCRIPTION
The TP module decides whether the signer certificate is trusted to
sign the entire certificate revocation list. The signer certificate
group is first authenticated and its applicability to perform this
operation is determined. Once the trust is established, this
operation signs the entire certificate revocation list. Individual
records within the certificate revocation list were signed when they
were added to the list. The caller must provide a credential that
permits the caller to use the private key for this signing operation.
The credential can be provided in the cryptographic context CCHandle.
If CCHandle is NULL, the credentials in the SignerVerifyContext
specify the credential value.
RETURN VALUE
A CSSM_RETURN value indicating success or specifying a particular
error condition. The value CSSM_OK indicates success. All other
values represent an error condition.
ERRORS
Errors are described in the CDSA technical standard. See CDSA.
CSSMERR_TP_INVALID_CL_HANDLE
CSSMERR_TP_INVALID_CONTEXT_HANDLE
CSSMERR_TP_INVALID_CRL_TYPE
CSSMERR_TP_INVALID_CRL_ENCODING
CSSMERR_TP_INVALID_CRL_POINTER
CSSMERR_TP_INVALID_CRL
CSSMERR_TP_INVALID_CERTGROUP_POINTER
CSSMERR_TP_INVALID_CERTGROUP
CSSMERR_TP_INVALID_CERTIFICATE
CSSMERR_TP_INVALID_ACTION
CSSMERR_TP_INVALID_ACTION_DATA
CSSMERR_TP_VERIFY_ACTION_FAILED
CSSMERR_TP_INVALID_CRLGROUP_POINTER
CSSMERR_TP_INVALID_CRLGROUP
CSSMERR_TP_INVALID_CRL_AUTHORITY
CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER
CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
CSSMERR_TP_INVALID_TIMESTRING
CSSMERR_TP_INVALID_STOP_ON_POLICY
CSSMERR_TP_INVALID_CALLBACK
CSSMERR_TP_INVALID_ANCHOR_CERT
CSSMERR_TP_CERTGROUP_INCOMPLETE
CSSMERR_TP_INVALID_DL_HANDLE
CSSMERR_TP_INVALID_DB_HANDLE
CSSMERR_TP_INVALID_DB_LIST_POINTER
CSSMERR_TP_INVALID_DB_LIST
CSSMERR_TP_AUTHENTICATION_FAILED
CSSMERR_TP_INSUFFICIENT_CREDENTIALS
CSSMERR_TP_NOT_TRUSTED
CSSMERR_TP_CERT_REVOKED
CSSMERR_TP_CERT_SUSPENDED
CSSMERR_TP_CERT_EXPIRED
CSSMERR_TP_CERT_NOT_VALID_YET
CSSMERR_TP_INVALID_CERT_AUTHORITY
CSSMERR_TP_INVALID_SIGNATURE
CSSMERR_TP_INVALID_NAME
CSSMERR_TP_CERTIFICATE_CANT_OPERATE
SEE ALSO
Books
Intel CDSA Application Developer's Guide (see CDSA)
Other Help Topics
Functions for the CSSM API:
CSSM_CL_CrlSign
Functions for the TP SPI:
CL_CrlSign