NAME    [Toc]    [Back]

       TP_ApplyCrlToDb,  CSSM_TP_ApplyCrlToDb - Update persistent
       storage (CDSA)

SYNOPSIS    [Toc]    [Back]

       # include <cdsa/cssm.h>

       API:     CSSM_RETURN     CSSMAPI      CSSM_TP_ApplyCrlToDb
       (CSSM_TP_HANDLE    TPHandle,    CSSM_CL_HANDLE   CLHandle,
       CSSM_CSP_HANDLE CSPHandle, const CSSM_ENCODED_CRL  *CrlToBeApplied,
  const  CSSM_CERTGROUP  *SignerCertGroup, const
       CSSM_TP_VERIFY_CONTEXT             *ApplyCrlVerifyContext,
       CSSM_TP_VERIFY_CONTEXT_RESULT_PTR    ApplyCrlVerifyResult)
       SPI: CSSM_RETURN CSSMTPI  TP_ApplyCrlToDb  (CSSM_TP_HANDLE
       TPHandle, CSSM_CL_HANDLE CLHandle, CSSM_CSP_HANDLE CSPHandle,
   const   CSSM_ENCODED_CRL   *CrlToBeApplied,   const
       CSSM_CERTGROUP *SignerCertGroup, const CSSM_TP_VERIFY_CONTEXT
      *ApplyCrlVerifyContext,      CSSM_TP_VERIFY_CONTEXT_RESULT_PTR
 ApplyCrlVerifyResult)

LIBRARY    [Toc]    [Back]

       Common Security Services Manager library (libcssm.so)

PARAMETERS    [Toc]    [Back]

       The  handle  that describes the add-in trust policy module
       used to perform this function.  The handle that  describes
       the  add-in certificate library module that can be used to
       manipulate the CRL as it is applied to the data store  and
       to  manipulate  the  certificates  effected by the CRL, if
       required. If no certificate library module  is  specified,
       the TP module uses an assumed CL module, if required.  The
       handle referencing a Cryptographic Service Provider to  be
       used  to  verify signatures on the CRL determining whether
       to trust the CRL and apply it to the data  store.  The  TP
       module  is responsible for creating the cryptographic context
 structures required to perform the verification operation.
  If  no  CSP  is  specified,  the TP module uses an
       assumed CSP to perform these operations.  If optional, the
       caller will set this value to 0.  A pointer to a structure
       containing the encoded certificate revocation list  to  be
       applied  to  the data store. The CRL type and encoding are
       included in this structure.  A pointer to  the  CSSM_CERTGROUP
  structure  containing  one or more related certificates
 that partially or fully represent the signer of  the
       certificate  revocation list. The first certificate in the
       group is  the  target  certificate  representing  the  CRL
       signer.  Use of subsequent certificates is specific to the
       trust domain. For example, in a hierarchical  trust  model
       subsequent members are intermediate certificates of a certificate
 chain.  A structure containing credentials,  policy
  information, and contextual information to be used in
       the verification process. All of the input values  in  the
       context  are  optional.  The  service  provider can define
       default values or can attempt to operate without input for
       all  the  other fields of this input structure. The operation
 can fail if a necessary input value  is  omitted  and
       the  service  module can not define an appropriate default
       value.  A pointer to a  structure  containing  information
       generated during the verification process. The information
       can include:

              Evidence            (output/optional)
              NumberOfEvidences   (output/optional)

DESCRIPTION    [Toc]    [Back]

       This  function  updates  persistent  storage  to   reflect
       entries  in the certificate revocation list. The TP module
       determines whether the memory-resident CRL is trusted, and
       if  it  should be applied to one or more of the persistent
       databases.  Side effects of this function can include saving
  a  persistent  copy  of  the  CRL in a data store, or
       removing certificate records from a data store.

RETURN VALUE    [Toc]    [Back]

       A CSSM_RETURN value indicating  success  or  specifying  a
       particular  error  condition.  The value CSSM_OK indicates
       success. All other values represent an error condition.

ERRORS    [Toc]    [Back]

       Errors are described in the CDSA technical standard.   See
       CDSA_intro(3).       CSSMERR_TP_INVALID_CL_HANDLE     CSSMERR_TP_INVALID_CSP_HANDLE
     CSSMERR_TP_INVALID_CRL_TYPE
       CSSMERR_TP_INVALID_CRL_ENCODING                       CSSMERR_TP_INVALID_CRL_POINTER
  CSSMERR_TP_INVALID_CRL   CSSMERR_TP_INVALID_CERTGROUP_POINTER
 CSSMERR_TP_INVALID_CERTGROUP
         CSSMERR_TP_INVALID_CERTIFICATE          CSSMERR_TP_INVALID_ACTION
 CSSMERR_TP_INVALID_ACTION_DATA CSSMERR_TP_VERIFY_ACTION_FAILED
       CSSMERR_TP_INVALID_CRLGROUP_POINTER
       CSSMERR_TP_INVALID_CRLGROUP       CSSMERR_TP_INVALID_CRL_AUTHORITY
   CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER
 CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
       CSSMERR_TP_INVALID_TIMESTRING                         CSSMERR_TP_INVALID_STOP_ON_POLICY
 CSSMERR_TP_INVALID_CALLBACK
       CSSMERR_TP_INVALID_ANCHOR_CERT CSSMERR_TP_CERTGROUP_INCOMPLETE
           CSSMERR_TP_INVALID_DL_HANDLE          CSSMERR_TP_INVALID_DB_HANDLE
                             CSSMERR_TP_INVALID_DB_LIST_POINTER
 CSSMERR_TP_INVALID_DB_LIST
       CSSMERR_TP_AUTHENTICATION_FAILED       CSSMERR_TP_INSUFFICIENT_CREDENTIALS
        CSSMERR_TP_NOT_TRUSTED       CSSMERR_TP_CERT_REVOKED
    CSSMERR_TP_CERT_SUSPENDED     CSSMERR_TP_CERT_EXPIRED
   CSSMERR_TP_CERT_NOT_VALID_YET  CSSMERR_TP_INVALID_CERT_AUTHORITY
   CSSMERR_TP_INVALID_SIGNATURE
      CSSMERR_TP_INVALID_NAME      CSSMERR_TP_CERTIFICATE_CANT_OPERATE

SEE ALSO    [Toc]    [Back]

       Books

       Intel   CDSA   Application    Developer's    Guide    (see
       CDSA_intro(3))

       Reference Pages    [Toc]    [Back]

       Functions for the CSSM API:

       CSSM_CL_CrlGetFirstItem(3),     CSSM_CL_CrlGetNextItem(3),
       CSSM_DL_CertRevoke(3)

       Functions for the TP SPI:

       CL_CrlGetFirstItem(3),  CL_CrlGetNextItem(3),   DL_CertRevoke(3)



                                               TP_ApplyCrlToDb(3)