TP_CrlVerify(3)TP_CrlVerify(3)NAME
TP_CrlVerify, CSSM_TP_CrlVerify - Verify integrity of the certificate
revocation list (CDSA)
SYNOPSIS
# include <cdsa/cssm.h>
API: CSSM_RETURN CSSMAPI CSSM_TP_CrlVerify (CSSM_TP_HANDLE TPHandle,
CSSM_CL_HANDLE CLHandle, CSSM_CSP_HANDLE CSPHandle, const
CSSM_ENCODED_CRL *CrlToBeVerified, const CSSM_CERTGROUP *SignerCert‐
Group, const CSSM_TP_VERIFY_CONTEXT *VerifyContext, CSSM_TP_VERIFY_CON‐
TEXT_RESULT_PTR RevokerVerifyResult) SPI: CSSM_RETURN CSSMTPI
TP_CrlVerify (CSSM_TP_HANDLE TPHandle, CSSM_CL_HANDLE CLHandle,
CSSM_CSP_HANDLE CSPHandle, const CSSM_ENCODED_CRL *CrlToBeVerified,
const CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VERIFY_CONTEXT
*VerifyContext, CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult)
LIBRARY
Common Security Services Manager library (libcssm.so)
PARAMETERS
The handle that describes the add-in trust policy module used to per‐
form this function. The handle that describes the add-in certificate
library module that can be used to manipulate the certificates to be
verified. If no certificate library module is specified, the TP module
uses an assumed CL module, if required. The handle referencing a Cryp‐
tographic Service Provider to be used to verify signatures on the
signer's certificate and on the CRL. The TP module is responsible for
creating the cryptographic context structure required to perform the
verification operation. If no CSP is specified, the TP module uses an
assumed CSP to perform the operations. A pointer to the CSSM_DATA
structure containing a signed certificate revocation list to be veri‐
fied. The CRL type and encoding are included in this structure. A
pointer to the CSSM_CERTGROUP structure containing one or more related
certificates that paretially or fully represent the signer of the cer‐
tificate revocation list. The first certificate in the group is the
target certificate representing the CRL signer. Use of subsequent cer‐
tificates is specific to the trust domain. For example, in a hierarchi‐
cal trust model subsequent members are intermediate certificates of a
certificate chain - the caller can specify additional points of trust
represented by anchor certificates in the VerifyContext. The trust pol‐
icy module can use these additional points of trust in the verification
process. A structure containing credentials, policy information, and
contextual information to be used in the verification process. All of
the input values in the context are optional. The service provider can
define default values or can attempt to operate without input for all
the other fields of this input structure. The operation can fail if a
necessary input value is omitted and the service module can not define
an appropriate default value A pointer to a structure containing infor‐
mation generation during the verification process. The information can
include:
Evidence .PP (output/optional)
NumberOfEvi‐ .PP (output/optional)
dences
DESCRIPTION
This function verifies the integrity of the certificate revocation list
and determines whether it is trusted. The conditions for trust are part
of the trust policy module. It can include conditions such as validity
of the signer's certificate, verification of the signature on the CRL,
the identity of the signer, the identity of the sender of the CRL, date
the CRL was issued, the effective dates on the CRL, and so on.
The caller can specify additional points of trust represented by anchor
certificates in the VerifyContext. The trust policy module can use
these additional points of trust in the verification process.
RETURN VALUE
A CSSM_RETURN value indicating success or specifying a particular error
condition. The value CSSM_OK indicates success. All other values repre‐
sent an error condition.
ERRORS
Errors are described in the CDSA technical standard. See
CDSA_intro(3). CSSMERR_TP_INVALID_CL_HANDLE CSS‐
MERR_TP_INVALID_CSP_HANDLE CSSMERR_TP_INVALID_CRL_TYPE CSS‐
MERR_TP_INVALID_CRL_ENCODING CSSMERR_TP_INVALID_CRL_POINTER CSS‐
MERR_TP_INVALID_CRL CSSMERR_TP_INVALID_CERTGROUP_POINTER CSS‐
MERR_TP_INVALID_CERTGROUP CSSMERR_TP_INVALID_CERTIFICATE CSS‐
MERR_TP_INVALID_ACTION CSSMERR_TP_INVALID_ACTION_DATA CSSMERR_TP_VER‐
IFY_ACTION_FAILED CSSMERR_TP_INVALID_CRLGROUP_POINTER CSS‐
MERR_TP_INVALID_CRLGROUP CSSMERR_TP_INVALID_CRL_AUTHORITY CSS‐
MERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER CSSMERR_TP_INVALID_POL‐
ICY_IDENTIFIERS CSSMERR_TP_INVALID_TIMESTRING CSS‐
MERR_TP_INVALID_STOP_ON_POLICY CSSMERR_TP_INVALID_CALLBACK CSS‐
MERR_TP_INVALID_ANCHOR_CERT CSSMERR_TP_CERTGROUP_INCOMPLETE CSS‐
MERR_TP_INVALID_DL_HANDLE CSSMERR_TP_INVALID_DB_HANDLE CSS‐
MERR_TP_INVALID_DB_LIST_POINTER CSSMERR_TP_INVALID_DB_LIST CSS‐
MERR_TP_AUTHENTICATION_FAILED CSSMERR_TP_INSUFFICIENT_CREDENTIALS CSS‐
MERR_TP_NOT_TRUSTED CSSMERR_TP_CERT_REVOKED CSSMERR_TP_CERT_SUSPENDED
CSSMERR_TP_CERT_EXPIRED CSSMERR_TP_CERT_NOT_VALID_YET CSS‐
MERR_TP_INVALID_CERT_AUTHORITY CSSMERR_TP_INVALID_SIGNATURE CSS‐
MERR_TP_INVALID_NAME CSSMERR_TP_CERTIFICATE_CANT_OPERATE
SEE ALSO
Books
Intel CDSA Application Developer's Guide (see CDSA_intro(3))
Reference Pages
Functions for the CSSM API:
CSSM_CL_CrlVerify(3)
Functions for the TP SPI:
CL_CrlVerify(3)TP_CrlVerify(3)
