Copyright Digital Equipment Corp. All rights reserved.

TP_CertSign

NAME
  TP_CertSign,
  CSSM_TP_CertSign - Determine if signer certificate is trusted (CDSA)

SYNOPSIS
  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_TP_CertSign
       (CSSM_TP_HANDLE TPHandle,
       CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertTemplateToBeSigned,
       const CSSM_CERTGROUP *SignerCertGroup,
       const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
       CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult,
       CSSM_DATA_PTR SignedCert)
   SPI:
       CSSM_RETURN CSSMTPI TP_CertSign
       (CSSM_TP_HANDLE TPHandle,
       CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertTemplateToBeSigned,
       const CSSM_CERTGROUP *SignerCertGroup,
       const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
       CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult,
       CSSM_DATA_PTR SignedCert)

LIBRARY
  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS
  TPHandle (input)
          The handle that describes the add-in trust policy module
          used to perform this function.

  CLHandle (input/optional)
          The handle that describes the add-in certificate library
          module used to perform this function.

  CCHandle (input/optional)
          The handle that describes the cryptographic context for
          signing the certificate.  This context also identifies the
          cryptographic service provider to be used to perform the
          signing operation. If this handle is not provided by the
          caller, the trust policy module can assume a default signing
          algorithm and a default CSP. If the trust policy module does
          not assume defaults or the default CSP is not available on
          the local system, an error occurs.

  CertTemplateToBeSigned (input)
          A pointer to a structure containing a certificte template
          to be signed. The CRL type and encoded are included in this
          structure.

  SignerCertGroup (input)
          A group of one or more certificates that partially or fully
          represent the signer for this operation. The first certificate
          in the group is the target certificate representing the signer.
          Use of subsequent certificates is specific to the trust domain.
          For example, in a hierarchical trust model subsequent members
          are intermediate certificates of a certificate chain.

  SignerVerifyContext (input/optional)
          A structure containing credentials, policy information, and
          contextual information to be used in the verification process.
          All of the input values in the context are optional. The
          service provider can define default values or can attempt to
          operate without input for all the other fields of this input
          structure. The operation can fail if a necessary input value
          is omitted and the service module can not define an
          appropriate default value.

  SignerVerifyResult (output/optional)
          A pointer to a structure containing information generated
          during the verification process. The information can include:

          Evidence            (output/optional)
          NumberOfEvidences   (output/optional)

  SignedCert (output)
          A pointer to the CSSM_DATA structure containing the signed
          certificate. The SignedCert->Data is allocated by the service
          provider and must be deallocated by the application.

DESCRIPTION
  The TP module decides whether the signer certificate is trusted to
  sign the CertTemplateToBeSigned. The signer certificate group is
  first authenticated and its applicability to perform this operation
  is determined. Once the trust is established, this operation signs
  the entire certificate. The caller must provide a credential that
  permits the caller to use the private key for this signing operation.
  The credential can be provided in the cryptographic context CCHandle.
  If CCHandle is NULL, the credentials in the SignerVerifyContext
  specify the credential value.

RETURN VALUE
  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other
  values represent an error condition.

ERRORS
  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_TP_INVALID_CL_HANDLE
       CSSMERR_TP_INVALID_CONTEXT_HANDLE
       CSSMERR_TP_INVALID_CERTGROUP_POINTER
       CSSMERR_TP_INVALID_CERTGROUP
       CSSMERR_TP_INVALID_CERTIFICATE
       CSSMERR_TP_UNKNOWN_FORMAT
       CSSMERR_TP_INVALID_ACTION
       CSSMERR_TP_INVALID_ACTION_DATA
       CSSMERR_TP_VERIFY_ACTION_FAILED
       CSSMERR_TP_INVALID_CRLGROUP_POINTER
       CSSMERR_TP_INVALID_CRLGROUP
       CSSMERR_TP_INVALID_CRL_AUTHORITY
       CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER
       CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
       CSSMERR_TP_INVALID_TIMESTRING
       CSSMERR_TP_INVALID_STOP_ON_POLICY
       CSSMERR_TP_INVALID_CALLBACK
       CSSMERR_TP_INVALID_ANCHOR_CERT
       CSSMERR_TP_CERTGROUP_INCOMPLETE
       CSSMERR_TP_INVALID_DL_HANDLE
       CSSMERR_TP_INVALID_DB_HANDLE
       CSSMERR_TP_INVALID_DB_LIST_POINTER
       CSSMERR_TP_INVALID_DB_LIST
       CSSMERR_TP_AUTHENTICATION_FAILED
       CSSMERR_TP_INSUFFICIENT_CREDENTIALS
       CSSMERR_TP_NOT_TRUSTED
       CSSMERR_TP_CERT_REVOKED
       CSSMERR_TP_CERT_SUSPENDED
       CSSMERR_TP_CERT_EXPIRED
       CSSMERR_TP_CERT_NOT_VALID_YET
       CSSMERR_TP_INVALID_CERT_AUTHORITY
       CSSMERR_TP_INVALID_SIGNATURE
       CSSMERR_TP_INVALID_NAME
       CSSMERR_TP_CERTIFICATE_CANT_OPERATE

SEE ALSO
  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_TP_CertCreateTemplate
      CSSM_TP_CrlSign

  Functions for the TP SPI:

      TP_CertCreateTemplate
      TP_CrlSign