TP_CrlVerify
CSSM_BOOL CSSMTPI TP_CrlVerify
(CSSM_TP_HANDLE TPHandle,
CSSM_CL_HANDLE CLHandle,
CSSM_CSP_HANDLE CSPHandle,
const CSSM_DL_DB_LIST_PTR DBList,
const CSSM_DATA_PTR CrlToBeVerified,
CSSM_CRL_TYPE CrlType,
CSSM_CRL_ENCODING CrlEncoding,
const CSSM_CERTGROUP_PTR SignerCertGroup,
const CSSM_VERIFYCONTEXT_PTR VerifyContext)
This function verifies the integrity of the certificate revocation list and determines whether it is trusted. Some of the checks that may be performed include: verifying the signatures on the signer's certificate group, establishing the authorization of the signer to issue CRLs, verification of the signature on the CRL, verifying validity period of the CRL and the date the CRL was issued, and so on.
- TPHandle (input)
The handle that describes the add-in trust policy module used to perform this function.
- CLHandle (input/optional)
The handle that describes the add-in certificate library module that can be used to manipulate the certificates to be verified. If no certificate library module is specified, the TP module uses an assumed CL module, if required.
- CSPHandle (input/optional)
The handle referencing a Cryptographic Service Provider to be used to verify signatures on the signer's certificate and on the CRL. The TP module is responsible for creating the cryptographic context structure required to perform the verification operation. If no CSP is specified, the TP module uses an assumed CSP to perform the operations.
- DBList (input/optional)
A list of handle pairs specifying a data storage library module and a data store managed by that module. These data stores can be used to store or retrieve objects (such as certificate and CRLs) related to the signer's certificate. If no DL and DB handle pairs are specified, the TP module can use an assumed DL module and an assumed data store, if required.
- CrlToBeVerified (input)
A pointer to the CSSM_DATA structure containing a signed certificate revocation list to be verified.
- CrlType (input)
An indicator of the type of CRL contained in the CrlToBeVerified.
- CrlEncoding (input)
An indicator of the encoding of CRL contained in the CrlToBeVerified.
- SignerCertGroup (input)
A group of one or more certificates that partially or fully represent the signer of the certificate revocation list. The first certificate in the group is the target certificate representing the CRL signer . Use of subsequent certificates is specific to the trust domain. For example, in a hierarchical trust model subsequent members are intermediate certificates of a certificate chain.
- VerifyContext (input)
A structure containing policy elements useful in verifying certificates and their use with respect to a security policy. Optional elements in the verify context left unspecified will cause the internal default values to be used. Default values are specified in the TP module vendor release documents. This context is used to verify the CRL and the signer certificate group.
A CSSM_TRUE return value means the certificate revocation list can be trusted. If CSSM_FALSE is returned, an error has occurred. This function can also return errors specific to CSP, CL and DL modules.
- CSSM_TP_INVALID_CERTIFICATE
Invalid certificate.
- CSSM_TP_NOT_SIGNER
Signer certificate is not signer of CRL.
- CSSM_TP_NOT_TRUSTED
Certificate revocation list can't be trusted.
- CSSM_TP_CRL_VERIFY_FAIL
Unable to verify certificate.
- CSSM_INVALID_TP_HANDLE
Invalid handle.
- CSSM_INVALID_CL_HANDLE
Invalid handle.
- CSSM_INVALID_DL_HANDLE
Invalid handle.
- CSSM_INVALID_DB_HANDLE
Invalid handle.
- CSSM_FUNCTION_NOT_IMPLEMENTED
Function not implemented.
CSSM_CL_CrlVerify
| Contents | Next section | Index |