1 CDSA

  Common Data Security Architecture (CDSA)

  CDSA is a multiplatform, industry standard security infrastructure.  It
  provides a standards-based, stable programming interface that applications
  can use to access operating system security services,  allowing developers
  to create cross-platform, security-enabled applications. Applications
  request security services, such as cryptography and other public key
  operations, through a dynamically extensible application programming
  interface (API).  These requests are serviced by a set of plug-in security
  service modules (SPIs), which  can be supplemented or changed as business
  needs and   technologies evolve.

  The heart of CDSA is the Common Security Services Manager (CSSM), which
  defines both the application API and the service provider interface (SPI)
  for plug-in security service modules. CSSM includes a set  of core
  services that are common  to all categories of security services,
  performing such functions as integrity verification and authentication.

  Available types of plug-in modules include cryptographic services (CSP),
  certificate library (CL), data library (DL), trust policy (TP) and
  authorization computation (AC). CSSM is extensible.

  Applications call functions in the CSSM API, which is fully specified by
  the CDSA technical standard located at
  http://www.opengroup.org/onlinepubs/009609799/. API function names are
  prefaced with CSSM_ and sometimes followed by  the designation of the
  module that will actually handle the request. For instance, an application
  calls CSSM_DL_DbOpen() to direct a DL module to open a data  store. The
  associated service provider interface (SPI) for the module would be
  DL_DbOpen().

  An application begins by initializing its connection to CSSM using the
  CSSM_Init() routine. It might use Module Directory Services (MDS) to query
  for available  modules  and their supported functionality, or it might
  hardcode to a particular module's global unique identifier (GUID).  The
  application loads the desired module using the CSSM_ModuleLoad() routine
  and then attaches to it using the CSSM_ModuleAttach() routine.

SEE ALSO

  CDSA guides, located in CDSA_SYSDIR:[DOCS]:

      Intel CDSA Application Developer's Guide
    .  Intel CDSA Service Provider Developer's Guide
    .  Intel CDSA Manifest Signing Tools User's Guide 

  For Open Source CDSA information and source:

  http://sourceforge.net/projects/cdsa/

  For general CDSA and security information:

      http://www.intel.com/ial/security/

      http://www.opengroup.org/security/l2-cdsa.htm


2 CDSA_API

3 AC_AuthCompute

  AC_AuthCompute - Compute authorization (CDSA)

SYNOPSIS

  # include <cssm.h>

    API:
       CSSM_RETURN CSSMACI CSSM_AC_AuthCompute
       (CSSM_AC_HANDLE ACHandle,
       const CSSM_TUPLEGROUP *BaseAuthorizations,
       const CSSM_TUPLEGROUP *Credentials,
       uint32 NumberOfRequestors,
       const CSSM_LIST *Requestors,
       const CSSM_LIST *RequestedAuthorizationPeriod,
       const CSSM_LIST *RequestedAuthorization,
       CSSM_TUPLEGROUP_PTR AuthorizationResult)

    SPI:
       CSSM_RETURN CSSMACI AC_AuthCompute
       (CSSM_AC_HANDLE ACHandle,
       const CSSM_TUPLEGROUP *BaseAuthorizations,
       const CSSM_TUPLEGROUP *Credentials,
       uint32 NumberOfRequestors,
       const CSSM_LIST *Requestors,
       const CSSM_LIST *RequestedAuthorizationPeriod,
       const CSSM_LIST *RequestedAuthorization,
       CSSM_TUPLEGROUP_PTR AuthorizationResult)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  ACHandle, BaseAuthorizations, Credentials, NumberOfRequestors,
  Requestors, RequestedAuthorizationPeriod, RequestedAuthorization,
  AuthorizationResult

DESCRIPTION

  This function performs an authorization computation and returns the
  results as a group of tuple certificates. The computation is based on
  the following input values:

  Requestors
          
          One or more items that identify the requestor. These
          items are matched against subject fields in
          BaseAuthorizations or Credentials.  These will be of
          any form that occurs in an ACL or certificate, and the
          class of entries is extensible.  AuthCompute uses these
          fields to compare against Subject fields of TUPLES but
          does not interpret them, so it does not need to be
          aware of these extensions.  Requestors, taken together
          with RequestedAuthorization and
          RequestedAuthorizationPeriod, form request tuples of
          the form "who requests what, when." Requestors can be
          public keys that verify some signed request, hashes of
          objects submitted for proof of permission, etc. In
          general, there will be only one Requestor, typically
          the public key of some keyholder signing a request or
          authenticating a connection.

  RequestedAuthorization
          The authorization against which the Requestors are 
          being tested in this computation.

  RequestedAuthorizationPeriod
          The time range of an authorization computation.

  BaseAuthorizations
          The group of ACL entries (unsigned certificates) provided as the
          basis for this computation.

  Credentials
          A group of tuple-certificates used with the 
          BaseAuthorizations to grant authorizations to the Requestors.

          ___________________________________________________________
          Kind of Subject  Example Requestor
          ___________________________________________________________
          Public key    (public-key (rsa-pkcs1-sha1 (e #03#) (n ##)))
                        (hash md5 #900150983cd24fb0d6963f7d28e17f72#)

          Hash of object,
          key, template,
          etc.
          ___________________________________________________________

  The most likely Requestor is a public key that signs a request.
  In common practice there will be one Requestor per computation,
  but it is possible for an ACL or certificate to require
  multiple signatures or other forms of identification before an
  action is authorized. In that case, there must be multiple
  Requestors. This function can be used in the following modes:

      To verify the authorization of a specific request, backed up by
       specific Requestors

      To compute the set of authorizations that a particular set of
       Requestors has been granted by the BaseAuthorizations and
       Credentials.

  When using this function to verify an authorization, the
  RequestedAuthorization is the specific authorization being
  requested and the RequestedAuthorizationPeriod gives the date
  and time of that request (typically the current date and time)
  using both NOT_BEFORE and NOT_AFTER dates. The result, if any,
  should be an ACL entry with the same authorization that was
  requested. If such an ACL entry is produced by the computation,
  then the request is authorized.

  Requested Authorization Example
  (http http://private.cdsa.hp.com/local-data.html )
  (ftp ftp://private.cdsa.hp.com/users/cme/private/test.txt write)
  Requested Authorization Period Example

  (valid (not-before "1999-07-28_17:00:44") (not-after "1999-07-
  28_17:00:44"))

  When using this function to compute the full set of possible
  authorizations from a set of credentials, rather than to verify a
  specific access request, the inputs should be of the following form:

      RequestedAuthorizationPeriod is either an empty list or the list
       "valid", indicating "all time".

      RequestedAuthorization is the list "*", indicating all possible
       authorizations.

  The result of this computation, if any, will be one or more ACL entries
  representing all the granted authorizations for the indicated requestor.

  The scope of ACLs output from this function is limited to the local
  system.  Each ACL should be interpreted to mean: "for this machine,
  under these base authorization ACLs and the provided certificates,
  relative to the specified requestors, the following authorizations have
  been deduced". Those authorizations are available only on the current
  platform (and possibly only for the application providing the ACL) and
  are therefore in the form of an ACL. They are not intended to be used by
  any other machine or application instance. However, the resulting ACLs
  can be transferred and used outside of the local scope by an entity with
  authority in the target scope/environment. The transfer and use is a
  three-step process:

   1.  Convert the ACL into one or more certificates. The certificates 
       must be signed by some private key with appropriate authority 
       in the target scope/environment.

   2.  Transfer the certificates to the target environment.

   3.  Use the signed certificates as input Credentials to this 
       function in the target scope/environment.

  If the function is successful, check (*AuthorizationResult)->NumCerts
  to determine the precise number of authorizations granted by this
  computation.  If 0, then the requestors were not authorized.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a
  particular error condition. The value CSSM_OK indicates
  success. All other values represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_AC_INVALID_BASE_ACLS
       CSSMERR_AC_INVALID_ENCODING
       CSSMERR_AC_INVALID_REQUESTOR
       CSSMERR_AC_INVALID_REQUEST_DESCRIPTOR
       CSSMERR_AC_INVALID_TUPLE_CREDENTIALS
       CSSMERR_AC_INVALID_VALIDITY_PERIOD

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_TP_CertGroupToTupleGroup
      CSSM_TP_TupleGroupToCertGroup

  Functions for the AC SPI:

      TP_CertGroupToTupleGroup
      TP_TupleGroupToCertGroup

4 ACHandle
  (input)
          The handle that describes the authorization computation module
          used to perform this function.

4 BaseAuthorizations
  (input)
          A pointer to a CSSM_TUPLEGROUP containing at least one ACL
          certificate, specifying the authorization granted to certain
          root keys, named entities or combinations thereof. A NULL group
          of BaseAuthorizations always results in a NULL
          AuthorizationResult.

4 Credentials
  (input/optional)
          A pointer to a CSSM_TUPLEGROUP containing a group of
          certificates, in TUPLE form. The tuple-certificates define
          the delegation of authorizations from the BaseAuthorizations
          to the Requestors.  If no additional authorization-granting
          tuples are provided, then this value is NULL and the
          BaseAuthorizations are the only source of trusted
          authorizations used as input to the authorization computation.

4 NumberOfRequestors
  (input)
          The number of entries in the Requestors array.

4 Requestors
  (input)
          A pointer to a list of requestors that define the "who" portion
          of the request. The list can be of type CSSM_LIST_TYPE_SEXPR.
          Typical exhibits include:

             Public keys
             Hashes of keys
             Hashes of other objects offered for proof.

4 RequestedAuthorizationPeriod
  (input/optional)
          A list defining a validity period or NULL (implying "all time").
          This is the "when" portion of the request.

          If the list is of type CSSM_LIST_TYPE_SEXPR, then the validity
          interval is specified as a two-element list containing the
          values ((not-before <date1>)(not-after <date2 >)). Note that
          each element is a two-element sublist. The <date> is represented
          by an ASCII byte-string, in the format (for example)
          "1998-11-24_15:06:16" and is assumed to be GMT. Open-ended time
          intervals are specified by omitting either of the interval ends.
          For example, ((not-before 1997-1-1_00:00:0)) specifies all dates
          and times beginning on January 1, 1997 going forward
          indefinitely.  For programming convenience, when testing for
          authorization at a single point in time, the date is represented
          by a one-element list containing (<date>).

4 RequestedAuthorization
  (input)
          A list defining the "what" portion of the authorization being
          requested.

          If the list is of type CSSM_LIST_TYPE_SEXPR, then the list
          presents an authorization request in SPKI format. If a
          specific authorization is being requested, then this input is
          a two-element SEXPR list containing (tag <req>).  The valid
          values for <req> are application-specific. If this is a request
          to derive all possible authorizations based on the
          BaseAuthorizations, Credentials, and Requestors, then this
          input value must be the two-element list containing (tag (*)).
          This list corresponds to "all authorizations". With this input,
          the function tests the provided ACL and certificates against
          the Requestors (and possibly RequestedAuthorizationPeriod) to
          yield all authorizations for which the provided Exhibits
          qualify.

4 AuthorizationResult
  (output)
          A CSSM_TUPLEGROUP structure, giving the result of the
          authorization computation. Typically there will be one result,
          but there could be as many as there are entries in the
          BaseAuthorizations.  Each of these results says, in effect:
          "for this machine, under this ACL and the provided certificates,
          relative to the specified Requestors, the following
          authorizations have been deduced". Those authorizations are
          available only on the current platform (and possibly only for
          the application providing the ACL), and are therefore in the
          form of an ACL. They are not intended to be used by any other
          machine or application instance, necessarily, and need to be
          converted into certificates signed by some private key
          available to the caller if they are to be so used.

3 AC_PassThrough

NAME

  AC_PassThrough,
  CSSM_AC_PassThrough - Call exported module-specific operations (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_AC_PassThrough
       (CSSM_AC_HANDLE ACHandle,
       CSSM_TP_HANDLE TPHandle,
       CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DL_DB_LIST *DBList,
       uint32 PassThroughId,
       const void *InputParams,
       void **OutputParams)

       SPI:
       CSSM_RETURN CSSMACI AC_PassThrough
       (CSSM_AC_HANDLE ACHandle,
       CSSM_TP_HANDLE TPHandle,
       CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DL_DB_LIST *DBList,
       uint32 PassThroughId,
       const void *InputParams,
       void **OutputParams)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  ACHandle, TPHandle, CLHandle, CCHandle, DBList, PassThroughId,
  InputParams, OutputParams

DESCRIPTION

  This function allows applications to call authorization
  computation module-specific operations that have been exported.
  Such operations might include queries or services specific to
  the domain represented by the AC module.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a
  particular error condition. The value CSSM_OK indicates
  success. All other values represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_AC_INVALID_CL_HANDLE
       CSSMERR_AC_INVALID_CONTEXT_HANDLE
       CSSMERR_AC_INVALID_DBLIST_POINTER
       CSSMERR_AC_INVALID_DB_LIST
       CSSMERR_AC_INVALID_DB_HANDLE
       CSSMERR_AC_INVALID_DL_HANDLE
       CSSMERR_AC_INVALID_PASSTHROUGH_ID
       CSSMERR_AC_INVALID_TP_HANDLE

SEE ALSO

  Intel CDSA Application Developer's Guide (see CDSA)

4 ACHandle
  (input)
          The handle that describes the authorization computation module
          used to perform this function.

4 TPHandle
  (input/optional)
          The handle that describes the trust policy module that can be
          used by the authorization computation service to implement this
          function. If no trust policy module is specified, the AC module
          uses an assumed TP module, if required.

4 CLHandle
  (input/optional)
          The handle that describes the add-in certificate library
          module that can be used to manipulate the subject certificate
          and anchor certificates. If no certificate library module is
          specified, the AC module uses an assumed CL module, if
          required.

4 CCHandle
  (input/optional)
          The handle that describes the cryptographic context containing
          a handle that describes the add-in cryptographic service
          provider module that can be used to perform cryptographic
          operations as required to perform the requested operation.
          If no cryptographic context is specified, the AC module uses
          an assumed cryptographic context and CSP module, if required.

4 DBList
  (input/optional)
          A list of handle pairs specifying a data storage library module
          and a data store managed by that module. These data stores can
          contain certificates, CRLs, and policy objects for use by the
          AC module. If no DL and DB handle pairs are specified, the AC
          module uses an assumed DL module and an assumed data store for
          this operation.

4 PassThroughId
  (input)
          An identifier assigned by the AC module to indicate the exported
          function to perform.

4 InputParams
  (input)
          A pointer to a module, implementation-specific structure
          containing parameters to be interpreted in a function-specific
          manner by the requested AC module. If the passthrough function
          requires access to a private key located in the CSP referenced
          by CSPHandle, then InputParams should contain a passphrase, or
          a callback or cryptographic context that can be used to obtain
          the passphrase.

4 OutputParams
  (output/optional)
          A pointer to a module, implementation-specific structure
          containing the output data. The service provider will allocate
          the memory for this structure. The application must free the
          memory for the structure.

3 CL_CertAbortCache

NAME

  CL_CertAbortCache,
  CSSM_CL_CertAbortCache - Terminate a certificate cache handle (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertAbortCache
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE CertHandle)

       SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertAbortCache
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE CertHandle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used
          to perform this function.

  CertHandle (input)
          The handle that identifies the cached certificate.

DECRIPTION

  This function terminates a certificate cache handle created and
  returned by the function CSSM_CL_CertCache() (CSSM API) or
  CL_CertCache() (CL SPI). The Certificate Library module
  releases all cache space and state information associated with
  the cached certificate.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a
  particular error condition. The value CSSM_OK indicates
  success. All other values represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CACHE_HANDLE

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertCache

  Functions for the CLI SPI:

      CL_CertCache

3 CL_CertAbortQuery

NAME

  CL_CertAbortQuery,
  CSSM_CL_CertAbortQuery function - Terminate a results handle (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertAbortQuery
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle)

       SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertAbortQuery
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  ResultsHandle (input)
          A pointer to the handle that identifies the results of a
          CSSM_CL_GetFieldValue() (CSSM API), or CL_GetFieldValue()
          (CLI SPI) request.

DESCRIPTION

  This function terminates a results handle used to access multiple
  certificate fields identified by a single OID. The ResultsHandle was
  created and returned by CSSM_CL_CertGetFirstFieldValue() (CSSM API),
  or CL_CertGetFirstFieldValue() (CL SPI), or
  CSSM_CL_CertGetFirstCachedFieldValue() (CSSM API), or
  CL_CertGetFirstCachedFieldValue() (CL SPI).

  The CL releases all intermediate state information associated with the
  repeating-value query. Once this function has been invoked, the results
  handle is invalid.

  Applications must invoke this function to terminate the ResultsHandle.
  Using CSSM_CL_CertGetNextFieldValue() (CSSM API), or
  CL_CertGetNextFieldValue() (CL SPI), or
  CSSM_CL_CertGetNextCachedFieldValue() (CSSM API), or
  CL_CertGetNextCachedFieldValue() (CL SPI), to access all of the
  attributes named by a single OID does not terminate the ResultsHandle.

  This function can be invoked to terminate the results handle without
  accessing all values identified by the single OID.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other
  values represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_RESULTS_HANDLE

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetFirstFieldValue
      CSSM_CL_CertGetNextFieldValue
      CSSM_CL_CertGetFirstCachedFieldValue
      CSSM_CL_CertGetNextCachedFieldValue

  Functions for the CLI SPI:

      CL_CertGetFirstFieldValue
      CL_CertGetNextFieldValue
      CL_CertGetFirstCachedFieldValue
      CL_CertGetNextCachedFieldValue

3 CL_CertCache

NAME

  CL_CertCache,
  CSSM_CL_CertCache - Cache a copy of a certificate (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertCache
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       CSSM_HANDLE_PTR CertHandle)
       SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertCache
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       CSSM_HANDLE_PTR CertHandle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used
          to perform this function.

  Cert (input)
          A pointer to the CSSM_DATA structure containing the encoded
          certificate.

  CertHandle (output)
          A pointer to the CSSM_HANDLE that should be used in all future
          references to the cached certificate.

DESCRIPTION

  This function caches a copy of a certificate for subsequent accesses
  using the functions CSSM_CL_CertGetFirstCachedFieldValue() (CSSM API),
  or CL_CertGetFirstCachedFieldValue() (CL SPI), and
  CSSM_CL_CertGetNextCachedFieldValue() (CSSM API), or
  CL_CertGetNextCachedFieldValue() (CL SPI).

  The input certificate must be in an encoded representation.  The
  Certificate Library module can cache the certificate in any appropriate
  internal representation.  Parsed or incrementally parsed representations
  are common.  The selected representation is opaque to the caller.

  The application must call CSSM_CL_CertAbortCache() (CSSM API), or
  CL_CertAbortCache() (CL SPI), to remove the cached copy when additional
  get operations will not be performed on the cached certificate.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other
  values represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetFirstCachedFieldValue
      CSSM_CL_CertGetNextCachedFieldValue
      CSSM_CL_CertAbortQuery
      CSSM_CL_CertAbortCache

  Functions for the CLI SPI:

      CL_CertGetFirstCachedFieldValue
      CL_CertGetNextCachedFieldValue
      CL_CertAbortQuery
      CL_CertAbortCache

3 CL_CertCreateTemplate

NAME

  CL_CertCreateTemplate,
  CSSM_CL_CertCreateTemplate - Allocate and initialize
                               memory for a certificate template (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertCreateTemplate
       (CSSM_CL_HANDLE CLHandle,
       uint32 NumberOfFields,
       const CSSM_FIELD *CertFields,
       CSSM_DATA_PTR CertTemplate)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertCreateTemplate
       (CSSM_CL_HANDLE CLHandle,
       uint32 NumberOfFields,
       const CSSM_FIELD *CertFields,
       CSSM_DATA_PTR CertTemplate)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used
          to perform this function.

  NumberOfFields (input)
          The number of certificate field values specified in the
          CertFields.

  CertFields (input)
          A pointer to an array of OID/value pairs that identify the
          field values to initialize a new certificate.

  CertTemplate (output)
          A pointer to a CSSM_DATA structure that will contain the
          unsigned certificate template as a result of this function.

DESCRIPTION

  This function allocates and initializes memory for an encoded
  certificate template output in CertTemplate->Data. The template
  values are specified by the input OID/value pairs contained in
  CertFields. The initialization process includes encoding all
  certificate field values according to the certificate type and
  certificate encoding supported by the certificate library
  module.

  The memory for CertTemplate->Data is allocated by the service provider
  using the calling application's memory management routines.  The
  application must deallocate the memory.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_FIELD_POINTER
       CSSMERR_CL_UNKNOWN_TAG
       CSSMERR_CL_INVALID_NUMBER_OF_FIELDS

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetAllTemplateFields
      CSSM_CL_CertSign

  Functions for the CLI SPI:

      CL_CertGetAllTemplateFields
      CL_CertSign

3 CL_CertDescribeFormat

NAME

  CL_CertDescribeFormat,
  CSSM_CL_CertDescribeFormat - Return a list of the CSSM_OID values (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertDescribeFormat
       (CSSM_CL_HANDLE CLHandle,
       uint32 *NumberOfOids,
       CSSM_OID_PTR *OidList)
       SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertDescribeFormat
       (CSSM_CL_HANDLE CLHandle,
       uint32 *NumberOfOids,
       CSSM_OID_PTR *OidList)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  NumberOfOids (output)
          The length of the returned array of OIDs.

  OidList (output)
          A pointer to the array of CSSM_OIDs that represent the supported
          certificate format. The OID list is allocated by the service
          provider and must be deallocated by the application.

DESCRIPTION

  This function returns a list of the CSSM_OID values this certificate
  library module uses to name and reference fields of a certificate.
  Multiple CSSM_OID values can correspond to a single field. These OIDs
  can be provided as input to CSSM_CL_CertGetFirstFieldValue() (CSSM API),
  or CL_CertGetFirstFieldValue() (CL SPI), to retrieve field values from
  the certificate. The OID also implies the data format of the returned
  value.  When multiple OIDs name the same field of a certificate, those
  OIDs have different return data formats associated with them.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

  None specific to this call.

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetAllFields
      CSSM_CL_CertGetFirstFieldValue
      CSSM_CL_CertGetFirstCachedFieldValue

  Functions for the CLI SPI:

      CL_CertGetAllFields
      CL_CertGetFirstFieldValue
      CL_CertGetFirstCachedFieldValue

3 CL_CertGetAllFields

NAME

  CL_CertGetAllFields,
  CSSM_CL_CertGetAllFields - Return a list of input certificate values
                             (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetAllFields
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       uint32 *NumberOfFields,
       CSSM_FIELD_PTR *FieldList)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGetAllFields
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       uint32 *NumberOfFields,
       CSSM_FIELD_PTR *FieldList)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  Cert (input)
          A pointer to the CSSM_DATA structure containing the certificate
          whose fields will be returned.

  NumberOfFields (output)
          The length of the returned array of fields.

  FieldList (output)
          A pointer to an array of CSSM_FIELD structures that contain the
          values of all fields of the input certificate. The field list is
          allocated by the service provider and must be deallocated by the
          application by calling CSSM_CL_FreeFields() (CSSM API), or
          CL_FreeFields() (CL SPI).

DESCRIPTION

  This function returns a list of the values stored in the input
  certificate.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  For the CSSM API: CSSM_CL_CertGetFirstFieldValue,
                    CSSM_CL_CertDescribeFormat
                    CSSM_CL_FreeFields

  For the CLI SPI: CL_CertGetFirstFieldValue
                   CL_CertDescribeFormat
                   CL_FreeFields

3 CL_CertGetAllTemplateFields

NAME

  CL_CertGetAllTemplateFields,
  CSSM_CL_CertGetAllTemplateFields - Extract and return values stored
                                     in CertTemplate (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetAllTemplateFields
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *CertTemplate,
       uint32 *NumberOfFields,
       CSSM_FIELD_PTR *CertFields)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGetAllTemplateFields
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *CertTemplate,
       uint32 *NumberOfFields,
       CSSM_FIELD_PTR *CertFields)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used
          to perform this function.

  CertTemplate (input)
          A pointer to the CSSM_DATA structure containing the packed,
          encoded certificate template.

  NumberOfFields (output)
          The length of the output array of fields.

  CertFields (output)
          A pointer to an array of CSSM_FIELD structures which contains
          the OIDs and values of the fields of the input certificate
          template.

DESCRIPTION

  This function extracts and returns a copy of the values stored
  in the encoded CertTemplate. The memory for the CertFields
  output is allocated by the service provider using the calling
  application's memory management routines. The application must
  deallocate the memory by calling CSSM_CL_FreeFields() (CSSM
  API), or CL_FreeFields() (CL SPI).

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_UNKNOWN_FORMAT

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_FreeFields
      CSSM_CL_CertCreateTemplate

  Functions for the CLI SPI:

      CL_FreeFields
      CL_CertCreateTemplate

3 CL_CertGetFirstCachedFieldValue

NAME

  CL_CertGetFirstCachedFieldValue,
  CSSM_CL_CertGetFirstCachedFieldValue - Return values from the cached
                                         certificate (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetFirstCachedFieldValue
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE CertHandle,
       const CSSM_OID *CertField,
       CSSM_HANDLE_PTR ResultsHandle,
       uint32 *NumberOfMatchedFields,
       CSSM_DATA_PTR *FieldValue)
       SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetFirstCachedFieldValue
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE CertHandle,
       const CSSM_OID *CertField,
       CSSM_HANDLE_PTR ResultsHandle,
       uint32 *NumberOfMatchedFields,
       CSSM_DATA_PTR *FieldValue)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  CertHandle (input)
          A handle identifying a certificate that the application has
          temporarily cached with the Certificate Library module. The
          referenced certificate is searched for the field value named
          by CertField.

  CertField (input)
          A pointer to an object identifier that identifies the field
          value to be extracted from the Cert.

  ResultsHandle (output)
          A pointer to the CSSM_HANDLE that should be used to obtain any
          additional matching fields.

  NumberOfMatchedFields (output)
          The total number of fields that match the CertField OID. This
          count includes the first match, which was returned by this
          function.

  FieldValue (output)
          A pointer to the structure containing the value of the
          requested field. The structure and the field at I
          "(*FieldValue)->Data" are allocated by the service provider.
          The CSSM_CL_FreeFieldValue() (CSSM API), or CL_FreeFieldValue()
          (CL SPI), function can be used to deallocate FieldValue and
          (*FieldValue)->Data.

DESCRIPTION

  This function returns a single structure containing a set of
  field values from the cached certificate identified by
  CertHandle. The selected fields are designated by the CSSM_OID
  CertField and returned in the output parameter FieldValue. The
  OID also identifies the data format of the values returned to
  the caller. If multiple OIDs designate the same certificate
  field, then each such OID defines a distinct data format for
  the returned values. The function CSSM_CL_CertDescribeFormat()
  (CSSM API), or CL_CertDescribeFormat() (CL SPI), provides a
  list of all CSSM_OID values supported by a certificate library
  module for naming fields of a certificate.

  The CertField OID can identify a single occurrence of a set of
  certificate fields, or multiple occurrences of a set of certificate
  fields. If the CertField OID matches more than one occurrence, this
  function outputs the total number of matches and a ResultsHandle to be
  used as input to CSSM_CertGetNextCachedFieldValue() (CSM API), or
  CertGetNextCachedFieldValue() (CL SPI), to retrieve the remaining
  matches.  The first match is returned as the return value of this
  function.

  This function determines the complete set of matches. The number of
  matches and the selected field values do not change between this
  function and subsequent calls to CSSM_CL_CertGetNextCachedFieldValue()
  (CSSM API), or CL_CertGetNextCachedFieldValue() (CL SPI).

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CACHE_HANDLE
       CSSMERR_CL_UNKNOWN_TAG
       CSSMERR_CL_NO_FIELD_VALUES

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetNextCachedFieldValue
      CSSM_CL_CertAbortCache
      CSSM_CL_CertAbortQuery
      CSSM_CL_CertGetAllFields
      CSSM_CL_CertDescribeFormat
      CSSM_CL_FreeFieldValue

  Functions for the CLI SPI:

      CL_CertGetNextCachedFieldValue
      CL_CertAbortCache
      CL_CertAbortQuery
      CL_CertGetAllFields
      CL_CertDescribeFormat
      CL_FreeFieldValue

3 CL_CertGetFirstFieldValue

NAME

  CL_CertGetFirstFieldValue,
  CSSM_CL_CertGetFirstFieldValue - Return the value of the certificate
                                   field (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetFirstFieldValue
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       const CSSM_OID *CertField,
       CSSM_HANDLE_PTR ResultsHandle,
       uint32 *NumberOfMatchedFields,
       CSSM_DATA_PTR *Value)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGetFirstFieldValue
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       const CSSM_OID *CertField,
       CSSM_HANDLE_PTR ResultsHandle,
       uint32 *NumberOfMatchedFields,
       CSSM_DATA_PTR *Value)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  Cert (input)
          A pointer to the CSSM_DATA structure containing the certificate.

  CertField (input)
          A pointer to an object identifier which identifies the field
          value to be extracted from the Cert.

  ResultsHandle (output)
          A pointer to the CSSM_HANDLE that should be used to obtain any
          additional matching fields.

  NumberOfMatchedFields (output)
          The total number of fields that match the CertField OID. This
          count includes the first match, which was returned by this
          function.

  Value (output)
          A pointer to the structure containing the value of the
          requested field. The structure and the field at I
          "(*Value)->Data" are allocated by the service provider. The
          CSSM_CL_FreeFieldValue() (CSSM API) or CL_FreeFieldValue()
          (CL SPI) function can be used to deallocate *Value and
          (*Value)->Data.

DESCRIPTION

  This function returns the value of the certificate field designated by
  the CSSM_OID CertField. The OID also identifies the data format for the
  field value returned to the caller. If multiple OIDs name the same
  certificate field, then each such OID defines a distinct data format
  for the returned field value. The function CSSM_CL_CertDescribeFormat()
  (CSSM API), or CL_CertDescribeFormat() (CL SPI), provides a list of all
  CSSM_OID values supported by a certificate library module for naming
  fields of a certificate.

  If more than one field matches the CertField OID, the first matching
  field will be returned. The number of matching fields is an output
  parameter, as is the ResultsHandle to be used to retrieve the remaining
  matching fields.

  The set of matching fields is determined by this function. The number of
  matching fields and the field values do not change between this function
  and subsequent calls to CSSM_CL_CertGetNextFieldValue() (CSSM API), or
  CL_CertGetNextFieldValue() (CL SPI).

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT
       CSSMERR_CL_UNKNOWN_TAG
       CSSMERR_CL_NO_FIELD_VALUES

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetNextFieldValue
      CSSM_CL_CertAbortQuery
      CSSM_CL_CertGetAllField
      CSSM_CL_FreeFieldValue
      CSSM_CL_CertDescribeFormat
      CSSM_CL_FreeFieldValue

  Functions for the CLI SPI:

      CL_CertGetNextFieldValue
      CL_CertAbortQuery
      CL_CertGetAllField
      CL_FreeFieldValue
      CL_CertDescribeFormat
      CL_FreeFieldValue

3 CL_CertGetKeyInfo

NAME

  CL_CertGetKeyInfo,
  CSSM_CL_CertGetKeyInfo - Return the public key and integral
                           information (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetKeyInfo
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       CSSM_KEY_PTR *Key)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGetKeyInfo
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Cert,
       CSSM_KEY_PTR *Key)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  Cert (input)
          A pointer to the CSSM_DATA structure containing the certificate
          from which to extract the public key information.

  Key (output)
          A pointer to the CSSM_KEY structure containing the public key
          and possibly other key information. The CSSM_KEY structure and
          its substructures are allocated by the service provider and
          must be deallocated by the application.

DESCRIPTION

  This function returns the public key and integral information about the
  key from the specified certificate. The key structure returned is a
  compound object. It can be used in any function requiring a key, such
  as creating a cryptographic context.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetFirstFieldValue
      CSSM_CL_FreeFieldValue

  Functions for the CLI SPI:

      CL_CertGetFirstFieldValue
      CL_FreeFieldValue

3 CL_CertGetNextCachedFieldValue

NAME

  CL_CertGetNextCachedFieldValue,
  CSSM_CL_CertGetNextCachedFieldValue - Return the value of a certificate
                                        field (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetNextCachedFieldValue
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle,
       CSSM_DATA_PTR *FieldValue)
       SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetNextCachedFieldValue
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle,
       CSSM_DATA_PTR *FieldValue)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used to
          perform this function.

  ResultsHandle (input)
          The handle that identifies the results of a certificate query.

  FieldValue (output)
          A pointer to the structure containing the value of the
          requested field. The structure and the field at I
          "(*FieldValue)->Data" are allocated by the service provider.
          The CSSM_CL_FreeFieldValue() (CSSM API), or CL_FreeFieldValue()
          (CL SPI) function can be used to deallocate *FieldValue and
          (*FieldValue)->Data.

DESCRIPTION

  This function returns the value of a certificate field, when that
  field occurs multiple times in a certificate. Certificates with
  repeated fields (such as multiple signatures) have multiple field
  values corresponding to a single OID. A call to the function
  CSSM_CL_CertGetFirstCachedFieldValue() (CSSM API), or
  CL_CertGetFirstCachedFieldValue() (CL SPI), returns a ResultsHandle
  identifying the size and values contained in the result set.  The
  CSSM_CL_CertGetNextCachedFieldValue() (CSSMAPI), or
  CL_CertGetNextCachedFieldValue() (CL SPI), function can be called
  repeatedly to obtain these values, one at a time. The result set does
  not change in size or value between calls to this function.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_RESULTS_HANDLE
       CSSMERR_CL_NO_FIELD_VALUES

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetFirstCachedFieldValue
      CSSM_CL_CertAbortCache
      CSSM_CL_CertAbortQuery
      CSSM_CL_CertGetAllFields
      CSSM_CL_CertDescribeFormat
      CSSM_CL_FreeFieldValue

  Functions for the CLI SPI:

      CL_CertGetFirstCachedFieldValue
      CL_CertAbortCache
      CL_CertAbortQuery
      CL_CertGetAllFields
      CL_CertDescribeFormat
      CL_FreeFieldValue

3 CL_CertGetNextFieldValue

NAME

  CL_CertGetNextFieldValue,
  CSSM_CL_CertGetNextFieldValue - Return the value of a certificate
                                  field (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGetNextFieldValue
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle,
       CSSM_DATA_PTR *Value)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGetNextFieldValue
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle,
       CSSM_DATA_PTR *Value)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  ResultsHandle (input)
          The handle that identifies the results of a certificate query.

  Value (output)
          A pointer to the structure containing the value of the
          requested field. The structure and the field at I
          "(*Value)->Data" are allocated by the service provider. The
          CSSM_CL_FreeFieldValue() (CSSM API) or CL_FreeFieldValue()
          (CL SPI), function can be used to deallocate *Value and
          (*Value)->Data.

DESCRIPTION

  This function returns the value of a certificate field, when that
  field occurs multiple times in a certificate. Certificates with
  repeated fields (such as multiple signatures) have multiple field
  values corresponding to a single OID. A call to the function
  CSSM_CL_CertGetFirstFieldValue() (CSSM API), or
  CL_CertGetFirstFieldValue() (CL SPI), returns a results handle
  identifying the size and values contained in the result set. The
  CSSM_CL_CertGetNextFieldValue() (CSSM API), or
  CL_CertGetNextFieldValue() (CL SPI), function can be called repeatedly
  to obtain these values, one at a time. The result set does not change
  in size or value between calls to this function.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_RESULTS_HANDLE
       CSSMERR_CL_NO_FIELD_VALUES

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGetFirstFieldValue
      CSSM_CL_CertAbortQuery
      CSSM_CL_FreeFieldValue

  Functions for the CLI SPI:

      CL_CertGetFirstFieldValue
      CL_CertAbortQuery
      CL_FreeFieldValue

3 CL_CertGroupFromVerifiedBundle

NAME

  CL_CertGroupFromVerifiedBundle,
  CSSM_CL_CertGroupFromVerifiedBundle - Verify the signature of a
                                        bundle (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGroupFromVerifiedBundle
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_CERT_BUNDLE *CertBundle,
       const CSSM_DATA *SignerCert,
       CSSM_CERTGROUP_PTR *CertGroup)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGroupFromVerifiedBundle
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_CERT_BUNDLE *CertBundle,
       const CSSM_DATA *SignerCert,
       CSSM_CERTGROUP_PTR *CertGroup)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  CCHandle (input/optional)
          The handle of the cryptographic context to control the
          verification operation.

  CertBundle (input)
          A structure containing a reference to a signed, encoded bundle
          of certificates and to descriptors of the type and encoding of
          the bundle.  The bundled certificates are to be separated into
          a certificate group (list of individual encoded certificates).
          If the bundle type and bundle encoding are not specified, the
          add-in module might either attempt to decode the bundle
          assuming a default type and encoding or might immediately fail.

  SignerCert (input/optional)
          The certificate to be used to verify the signature on the
          certificate bundle.  If the bundle is signed but this field is
          not specified, then the module will assume a default certificate
          for verification.

  CertGroup (output)
          A pointer to the certificate group, represented as an array
          of individual, encoded certificates. The certificate group
          and CSSM_CERTGROUP substructures are allocated by the serivce
          provider and must be deallocated by the application. The group
          contains all certificates contained in the certificate bundle.

DESCRIPTION

  This function accepts as input a certificate bundle (a codified and
  signed aggregation of the certificates in the group), verifies the
  signature of the bundle (if a signature is present), and returns a
  certificate group (as an array of individual certificates) including
  every certificate contained in the bundle. The signature on the
  certificate aggregate is verified using the cryptographic context and
  possibly using the input signer certificate.  The CL module embeds the
  knowledge of the verification scope for the bundle types that it
  supports. A CL module's supported bundle types and encodings are
  available to applications by querying the CSSM registry. The type and
  encoding of the certificate bundle must be specified with the input
  bundle.  If signature verification is successful, the certificate
  aggregate will be parsed into a certificate group whose order
  corresponds to the certificate aggregate ordering. This certificate
  group will then be returned to the calling application.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CONTEXT_HANDLE
       CSSMERR_CL_INVALID_BUNDLE_POINTER
       CSSMERR_CL_INVALID_BUNDLE_INFO
       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_INVALID_CERTGROUP_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGroupToSignedBundle

  Functions for the CLI SPI:

      CL_CertGroupToSignedBundle

3 CL_CertGroupToSignedBundle

NAME

  CL_CertGroupToSignedBundle,
  CSSM_CL_CertGroupToSignedBundle - Convert a certificate group to a
                                    certificate bundle (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertGroupToSignedBundle
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_CERTGROUP *CertGroupToBundle,
       const CSSM_CERT_BUNDLE_HEADER *BundleInfo,
       CSSM_DATA_PTR SignedBundle)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertGroupToSignedBundle
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_CERTGROUP *CertGroupToBundle,
       const CSSM_CERT_BUNDLE_HEADER *BundleInfo,
       CSSM_DATA_PTR SignedBundle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  CCHandle (input/optional)
          The handle of the cryptographic context to control the signing
          operation.  The operation will fail if a signature is required
          for this type of bundle and the cryptographic context is not
          valid.

  CertGroupToBundle (input)
          An array of individual, encoded certificates. All certificates
          in this list will be included in the resulting certificate
          bundle.

  BundleInfo (input/optional)
          A structure containing the type and encoding of the bundle to
          be created.  If the type and the encoding are not specified,
          then the module will use a default bundle type and bundle
          encoding.

  SignedBundle (output)
          The function returns a pointer to a signed certificate bundle
          containing all certificates in the certificate group. The bundle
          is of the type and encoding requested by the caller or is the
          default type defined by the library module if the BundleInfo was
          not specified by the caller. The SignedBundle->Data is allocated
          by the service provider and must be deallocated by the
          application.

DESCRIPTION

  This function accepts as input a certificate group (as an array
  of individual certificates) and returns a certificate bundle (a
  codified and signed aggregation of the certificates in the
  group). The certificate group will first be encoded according
  to the BundleInfo input by the user. If BundleInfo is NULL, the
  library will perform a default encoding for its default bundle
  type. If possible, the certificate group ordering will be
  maintained in this certificate aggregate encoding. After
  encoding, the certificate aggregate will be signed using the
  input context. The CL module embeds knowledge of the signing
  scope for the bundle types it supports. The signature is then
  associated with the certificate aggregate according to the
  bundle type and encoding rules and is returned as a bundle to
  the calling application.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CONTEXT_HANDLE
       CSSMERR_CL_INVALID_CERTGROUP_POINTER
       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT
       CSSMERR_CL_INVALID_BUNDLE_POINTER
       CSSMERR_CL_INVALID_BUNDLE_INFO

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertGroupFromVerifiedBundle

  Functions for the CLI SPI:

      CL_CertGroupFromVerifiedBundle

3 CL_CertSign

NAME

  CL_CertSign,
  CSSM_CL_CertSign - Sign a certificate (CDSA)

SYNOPSIS

  # include <cssm.h>

       API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertSign
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertTemplate,
       const CSSM_FIELD *SignScope,
       uint32 ScopeSize,
       CSSM_DATA_PTR SignedCert)
       SPI:
       CSSM_RETURN CSSMCLI CL_CertSign
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertTemplate,
       const CSSM_FIELD *SignScope,
       uint32 ScopeSize,
       CSSM_DATA_PTR SignedCert)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  CCHandle (input)
          A signature context defining the CSP, signing algorithm, and
          private key that must be used to perform the operation. The
          passphrase for the private key is also provided.

  CertTemplate (input)
          A pointer to a CSSM_DATA structure containing a certificate
          template in the default format supported by this CL. The
          template contains values that are currently contained in or
          will be contained in a signed certificate.

  SignScope (input/optional)
          A pointer to the CSSM_FIELD array containing the OID/value
          pairs of the fields to be signed. A null input signs all the
          fields provided by CertTemplate.

  ScopeSize (input)
          The number of entries in the SignScope list. If the sign scope
          is not specified, the input value for scope size must be zero.

  SignedCert (output)
          A pointer to the CSSM_DATA structure containing the signed
          certificate.

DESCRIPTION

  This function signs a certificate using the private key and signing
  algorithm specified in the CCHandle. The result is a signed, encoded
  certificate in SignedCert. The certificate field values are specified
  in the input certificate template. The template is constructed using
  CSSM_CL_CertCreateTemplate() (CSSM API), or CL_CertCreateTemplate()
  (CL SPI). The template is in the default format for this CL.

  The CCHandle must be a signature context created using the function
  CSSM_CSP_CreateSignatureContext() (CSSM API), or
  CSP_CreateSignatureContext() (SPI). The context must specify the
  Cryptographic Services Provider (CSP) module, the signing algorithm,
  and the signing key that must be used to perform this operation.  The
  context must also provide the passphrase or a callback function to
  obtain the passphrase required to access and use the private key.

  The fields included in the signing operation are identified by the OIDs
  in the optional SignScope array.

  The memory for the SignedCert->Data output is allocated by the service
  provider using the calling application's memory management routines.
  The application must deallocate the memory.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CONTEXT_HANDLE
       CSSMERR_CL_UNKNOWN_FORMAT
       CSSMERR_CL_INVALID_FIELD_POINTER
       CSSMERR_CL_UNKNOWN_TAG
       CSSMERR_CL_INVALID_SCOPE
       CSSMERR_CL_INVALID_NUMBER_OF_FIELDS
       CSSMERR_CL_SCOPE_NOT_SUPPORTED

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertVerify
      CSSM_CL_CertCreateTemplate

  Functions for the CLI SPI:

      CL_CertVerify
      CL_CertCreateTemplate

3 CL_CertVerify

NAME

  CL_CertVerify,
  CSSM_CL_CertVerify - Verify a signed certificate (CDSA)

SYNOPSIS

  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertVerify
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertToBeVerified,
       const CSSM_DATA *SignerCert,
       const CSSM_FIELD *VerifyScope,
       uint32 ScopeSize)

   SPI:
       CSSM_RETURN CSSMAPI CSSM_CL_CertVerify
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertToBeVerified,
       const CSSM_DATA *SignerCert,
       const CSSM_FIELD *VerifyScope,
       uint32 ScopeSize)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETER

CLHandle (input)
          The handle that describes the add-in certificate
          library module used to perform this function.

  CCHandle (input/optional)
          The handle that describes the context of this cryptographic
          operation.

  CertToBeVerified (input)
          
          A pointer to the CSSM_DATA structure with a certificate
          containing at least one signature for verification. An
          unsigned certificate template cannot be verified.

  SignerCert (input/optional)
          A pointer to the CSSM_DATA structure containing the
          certificate used to sign the subject certificate. This
          certificate provides the public key to use in the
          verification process and if the certificate being
          verified contains multiple signatures, the signer's
          certificate indicates which signature is to be
          verified.

  VerifyScope (input/optional)
          A pointer to the CSSM_FIELD array containing the
          tag/value  pairs of the fields to be used in verifying
          the signature. (This should include all fields that
          were used to calculate the signature.) If the verify
          scope is null, the certificate library module assumes
          that its default set of certificate fields were used to
          calculate the signature, and those same fields are used
          in the verification process.
          
  ScopeSize (input)
          The number of entries in the verify scope list. If the
          verification scope is not specified, the input value for scope
          size must be zero.

DESCRIPTION

  This function verifies that the signed certificate has not been altered
  since it was signed by the designated signer. Only one signature is
  verified by this function. If the certificate to be verified includes
  multiple signatures, this function must be applied once for each
  signature to be verified. This function verifies a digital signature
  over the certificate fields specified by VerifyScope. If the
  verification scope fields are not specified, the function performs
  verification using a preselected set of fields in the certificate.

  The caller can specify a Cryptographic Service Provider (CSP) and
  verification algorithm that the CL can use to perform the verification.
  The handle for the CSP is contained in the cryptographic context
  identified by CCHandle.

  The verification process requires that the caller must specify the
  necessary verification algorithm parameters. These parameter values
  are specified in one of two locations:

      As a field value in the SignerCert parameter

      As a set of algorithm parameters contained in the cryptographic
       context identified by CCHandle

  If both of the preceding arguments are supplied, a consistency check
  is performed to ensure that they result in the same verification
  algorithm parameters. If they are not consistent, an error is returned.
  If only one of the above arguments is supplied, that argument is used
  to generate the verification algorithm parameters. If no algorithm
  parameters are found, the certificate cannot be verified and the
  operation fails.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CONTEXT_HANDLE
       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT
       CSSMERR_CL_INVALID_FIELD_POINTER
       CSSMERR_CL_UNKNOWN_TAG
       CSSMERR_CL_INVALID_SCOPE
       CSSMERR_CL_INVALID_NUMBER_OF_FIELDS
       CSSMERR_CL_SCOPE_NOT_SUPPORTED
       CSSMERR_CL_VERIFICATION_FAILURE

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertSign

  Functions for the CLI SPI:

      CL_CertSign

3 CL_CertVerifyWithKey

NAME

  CL_CertVerifyWithKey,
  CSSM_CL_CertVerifyWithKey - Verify with a key (CDSA)

SYNOPSIS

  # include <cssm.h>

  API:
       CSSM_RETURN CSSMAPI CSSM_CL_CertVerifyWithKey
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertToBeVerified)

  SPI:
       CSSM_RETURN CSSMCLI CL_CertVerifyWithKey
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *CertToBeVerified)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library service module
          used to perform this function.

  CCHandle (input)
          A signature verification context defining the CSP, verification
          algorithm, and public key that must be used to perform the
          operation.

  CertToBeVerified (input)
          A signed certificate whose signature is to be verified.

DESCRIPTION

  This function verifies that the CertToBeVerified parameter was signed
  using a specific private key and that the certificate has not been
  altered since it was signed using that private key. The public key
  corresponding to the private signing key is used in the verification
  process.

  The CCHandle, must be a signature verification context created using
  the function CSSM_CSP_CreateSignatureContext() (CSSM API), or
  CSP_CreateSignatureContext() (SPI). The context must specify the
  Cryptographic Services Provider (CSP) module, the verification
  algorithm, and the public verification key that must be used to
  perform this operation.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CONTEXT_HANDLE
       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT
       CSSMERR_CL_VERIFICATION_FAILURE

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CertVerify
      CSSM_CL_CrlVerify

  Functions for the CLI SPI:

      CL_CertVerify
      CL_CrlVerify

3 CL_CrlAbortCache

NAME

  CL_CrlAbortCache,
  CSSM_CL_CrlAbortCache - Terminate a CRL cache handle (CDSA)

SYNOPSIS

  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_CL_CrlAbortCache
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE CrlHandle)

   SPI:
       CSSM_RETURN CSSMCLI CL_CrlAbortCache
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE CrlHandle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used
          to perform this function.

  CrlHandle (input)
          The handle that identifies the cached CRL.

DESCRIPTION

  This function terminates a CRL cache handle created and returned by
  the function CSSM_CL_CrlCache() (CSSM API), or CL_CrlCache() (CL SPI).
  The Certificate Library module releases all cache space and state
  information associated with the cached CRL.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CACHE_HANDLE

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CrlCache

  Functions for the CLI SPI:

      CL_CrlCache

3 CL_CrlAbortQuery

NAME

  CL_CrlAbortQuery,
  CSSM_CL_CrlAbortQuery - Terminate a query (CDSA)

SYNOPSIS

  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_CL_CrlAbortQuery
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle)

   SPI:
       CSSM_RETURN CSSMCLI CL_CrlAbortQuery
       (CSSM_CL_HANDLE CLHandle,
       CSSM_HANDLE ResultsHandle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  ResultsHandle (input)
          The handle that identifies the results of a CRL query.

DESCRIPTION

  This function terminates the query initiated by
  CSSM_CL_CrlGetFirstFieldValue() or CSSM_CL_CrlGetFirstCachedFieldValue()
  function (or their CL SPI equivalents), and allows the CL to release all
  intermediate state information associated with the repeating-value get
  operation. Once this function has been invoked, the results handle is
  invalid.

  Applications must invoke this function to terminate the ResultsHandle.
  Using CSSM_CL_CrlGetNextFieldValue() or
  CSSM_CL_CrlGetNextCachedFieldValue() (or their CL SPI equivalents), to
  access all of the attributes named by a single OID does not terminate
  the ResultsHandle. This function can be invoked to terminate the results
  handle without accessing all of the values identified by the single OID.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_RESULTS_HANDLE

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CrlGetFirstFieldValue
      CSSM_CL_CrlGetNextFieldValue
      CSSM_CL_CrlGetFirstCachedFieldValue
      CSSM_CL_CrlGetNextCachedFieldValue

  Functions for the CL SPI:

      CL_CrlGetFirstFieldValue
      CL_CrlGetNextFieldValue
      CL_CrlGetFirstCachedFieldValue
      CL_CrlGetNextCachedFieldValue

3 CL_CrlAddCert

NAME

  CL_CrlAddCert,
  CSSM_CL_CrlAddCert - Revoke an input certificate (CDSA)

SYNOPSIS

  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_CL_CrlAddCert
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *Cert,
       uint32 NumberOfFields,
       const CSSM_FIELD *CrlEntryFields,
       const CSSM_DATA *OldCrl,
       CSSM_DATA_PTR NewCrl)

   SPI:
       CSSM_RETURN CSSMCLI CL_CrlAddCert
       (CSSM_CL_HANDLE CLHandle,
       CSSM_CC_HANDLE CCHandle,
       const CSSM_DATA *Cert,
       uint32 NumberOfFields,
       const CSSM_FIELD *CrlEntryFields,
       const CSSM_DATA *OldCrl,
       CSSM_DATA_PTR NewCrl)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in certificate library module
          used to perform this function.

  CCHandle (input)
          The handle that describes the context of this cryptographic
          operation.

  Cert (input)
          A pointer to the CSSM_DATA structure containing the certificate
          to be revoked.

  NumberOfFields (input)
          The number of OID/value pairs specified in the CrlEntryFields
          input parameter.

  CrlEntryFields (input)
          An array of OID/value pairs specifying the initial values for
          descriptive data fields of the new CRL entry.

  OldCrl (input)
          A pointer to the CSSM_DATA structure containing the CRL to
          which the newly revoked certificate will be added.

  NewCrl (output)
          A pointer to the CSSM_DATA structure containing the updated
          CRL.  The NewCrl->Data is allocated by the service provider
          and must be deallocated by the application.

DESCRIPTION

  This function revokes the input certificate by adding a record
  representing the certificate to the CRL. The values for the new entry
  in the CRL are specified by the list of OID/value input pairs. The
  reason for revocation is a typical value specified in the list. The
  new CRL entry is signed using the private key and signing algorithm
  specified in the CCHandle.

  The CCHandle must be a context created using the function
  CSSM_CSP_CreateSignatureContext() (CSSM API), or
  CSP_CreateSignatureContext() (CL SPI). The context must specify the
  Cryptographic Services Provider (CSP) module, the signing algorithm,
  and the signing key that must be used to perform this operation. The
  context must also provide the passphrase or a callback function to
  obtain the passphrase required to access and use the private key.

  The operation is valid only if the CRL has not been closed by the
  process of signing the CRL, by calling CSSM_CL_CrlSign() (CSSM API),
  or CL_CrlSign() (CL SPI). Once the CRL has been signed, entries cannot
  be added or removed.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CONTEXT_HANDLE
       CSSMERR_CL_INVALID_CERT_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT
       CSSMERR_CL_INVALID_FIELD_POINTER
       CSSMERR_CL_UNKNOWN_TAG
       CSSMERR_CL_INVALID_NUMBER_OF_FIELDS
       CSSMERR_CL_INVALID_CRL_POINTER
       CSSMERR_CL_CRL_ALREADY_SIGNED

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CrlRemoveCert

  Functions for the CLI SPI:

      CL_CrlRemoveCert

3 CL_CrlCache

NAME

  CL_CrlCache,
  CSSM_CL_CrlCache - Cache a copy of a certificate revocation
                     list (CDSA)

SYNOPSIS

  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_CL_CrlCache
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Crl,
       CSSM_HANDLE_PTR CrlHandle)

   SPI:
       CSSM_RETURN CSSMCLI CL_CrlCache
       (CSSM_CL_HANDLE CLHandle,
       const CSSM_DATA *Crl,
       CSSM_HANDLE_PTR CrlHandle)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the certificate library module used
          to perform this function.

  Crl (input)
          A pointer to the CSSM_DATA structure containing the encoded
          CRL.

  CrlHandle (output)
          A pointer to the CSSM_HANDLE that should be used in all future
          references to the cached CRL.

DESCRIPTION

  This function caches a copy of a CertificateRevocationList (CRL) for
  subsequent accesses using the functions CSSM_CL_CrlGetFirstFieldValue()
  and CSSM_CL_CrlGetNextFieldValue() (or their CL SPI equivalents).

  The input CRL must be in an encoded representation. The Certificate
  Library module can cache the CRL in any appropriate internal
  representation.  Parsed or incrementally parsed representations are
  common. The selected representation is opaque to the caller.

  The application must call CSSM_CL_CrlCacheAbort() (CSSM API), or
  CL_CrlCacheAbort() (CL SPI), to remove the cached copy when additional
  get operations will not be performed on the cached CRL.

RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular
  error condition. The value CSSM_OK indicates success. All other values
  represent an error condition.

ERRORS

  Errors are described in the CDSA technical standard.  See CDSA.

       CSSMERR_CL_INVALID_CRL_POINTER
       CSSMERR_CL_UNKNOWN_FORMAT

SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA)

  Other Help Topics

  Functions for the CSSM API:

      CSSM_CL_CrlGetFirstCachedFieldValue
      CSSM_CL_CrlGetNextCachedFieldValue
      CSSM_CL_IsCertInCachedCrl
      CSSM_CL_CrlAbortQuery
      CSSM_CL_CrlAbortCache

  Functions for the CLI SPI:

      CL_CrlGetFirstCachedFieldValue
      CL_CrlGetNextCachedFieldValue
      CL_IsCertInCachedCrl
      CL_CrlAbortQuery
      CL_CrlAbortCache

3 CL_CrlCreateTemplate

NAME

  CL_CrlCreateTemplate,
  CSSM_CL_CrlCreateTemplate - Create an unsigned, memory-resident 
  CRL (CDSA)

SYNOPSIS

  # include <cssm.h>

   API:
       CSSM_RETURN CSSMAPI CSSM_CL_CrlCreateTemplate
       (CSSM_CL_HANDLE CLHandle,
       uint32 NumberOfFields,
       const CSSM_FIELD *CrlTemplate,
       CSSM_DATA_PTR NewCrl)

   SPI:
       CSSM_RETURN CSSMCLI CL_CrlCreateTemplate
       (CSSM_CL_HANDLE CLHandle,
       uint32 NumberOfFields,
       const CSSM_FIELD *CrlTemplate,
       CSSM_DATA_PTR NewCrl)

LIBRARY

  Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

PARAMETERS

  CLHandle (input)
          The handle that describes the add-in Certificate Library module
          used to perform this function.

  NumberOfFields (input)
          The number of OID/value pairs sp