Previous section.

Common Security: CDSA and CSSM
Copyright © 1997 The Open Group




    const CSSM_DL_DB_LIST_PTR DBList,
    const CSSM_DATA_PTR CrlToBeApplied,
    CSSM_CRL_TYPE CrlType,
    CSSM_CRL_ENCODING CrlEncoding,
    const CSSM_CERTGROUP_PTR SignerCert,
    const CSSM_VERIFYCONTEXT_PTR SignerVerifyContext)


This function first determines whether the memory-resident CRL is trusted. The CRL is authenticated, its signer is verified, and its authority to update the data sources is determined. If trust is established, this function updates persistent storage to reflect entries in the certificate revocation list. This results in designating persistent certificates as revoked.


TPHandle (input)

The handle that describes the add-in trust policy module used to perform this function.

CLHandle (input/optional)

The handle that describes the add-in certificate library module that can be used to manipulate the CRL as it is applied to the data store and to manipulate the certificates effected by the CRL, if required. If no certificate library module is specified, the TP module uses an assumed CL module, if required. If optional, the caller will set this value to 0.

CSPHandle (input/optional)

The handle referencing a Cryptographic Service Provider to be used to verify signatures on the CRL determining whether to trust the CRL and apply it to the data store. The TP module is responsible for creating the cryptographic context structures required to perform the verification operation. If no CSP is specified, the TP module uses an assumed CSP to perform these operations. If optional, the caller will set this value to 0.

DBList (input/optional)

A list of handle pairs specifying a data storage library module and a data store managed by that module. These data stores can contain certificates that might be effected by the CRL, they may contain CRLs, or both. If no DL and DB handle pairs are specified, the TP module must use an assumed DL module and an assumed data store for this operation. If optional, the caller will set this value to NULL.

CrlToBeApplied (input)

A pointer to the CSSM_DATA structure containing a certificate revocation list to be applied to the data store.

CrlType (input)

An indicator of the type of CRL contained in the CrlToBeApplied.

CrlEncoding (input)

An indicator of the encoding of CRL contained in the CrlToBeApplied.

SignerCert (input)

A group of one or more certificates that partially or fully represent the signer of the certificate revocation list. The first certificate in the group is the target certificate representing the signer. Use of subsequent certificates is specific to the trust domain. For example, in a hierarchical trust model subsequent members are intermediate certificates of a certificate chain.

SignerVerifyContext (input)

A structure containing policy elements useful in verifying certificates and their use with respect to a security policy. Optional elements in the verify context left unspecified will cause the internal default values to be used. Default values are specified in the TP module vendor release documents. This context is used to verify the signer's authority to sign and issue certificate revocation lists.


A CSSM_OK return value means the certificate revocation list has been used to update the revocation status of certificates in the specified database. If CSSM_FAIL is returned, an error has occurred. This function can also return errors specific to CSP, CL, and DL modules.



Invalid certificate revocation list.


Certificate revocation list can't be trusted.


Unable to apply certificate revocation list on database.


Invalid handle.


Invalid handle.


Invalid handle.


Invalid handle.


Function not implemented.


CSSM_CL_CrlGetFirstItem, CSSM_CL_CrlGetNextItem, CSSM_DL_CertRevoke

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.
You should also read the legal notice explaining the terms and conditions relating to the CDSA documentation.

Contents Next section Index