CL_CrlSign(3)CL_CrlSign(3)NAME
CL_CrlSign, CSSM_CL_CrlSign, CL_CrlSign - Sign a CRL (CDSA)
SYNOPSIS
# include <cdsa/cssm.h>
API: CSSM_RETURN CSSMAPI CSSM_CL_CrlSign (CSSM_CL_HANDLE CLHandle,
CSSM_CC_HANDLE CCHandle, const CSSM_DATA *UnsignedCrl, const CSSM_FIELD
*SignScope, uint32 ScopeSize, CSSM_DATA_PTR SignedCrl) SPI: CSSM_RETURN
CSSMCLI CL_CrlSign (CSSM_CL_HANDLE CLHandle, CSSM_CC_HANDLE CCHandle,
const CSSM_DATA *UnsignedCrl, const CSSM_FIELD *SignScope, uint32
ScopeSize, CSSM_DATA_PTR SignedCrl)
LIBRARY
Common Security Services Manager library (libcssm.so)
PARAMETERS
The handle that describes the add-in Certificate Library module used to
perform this function. The handle that describes the context of this
cryptographic operation. A pointer to the CSSM_DATA structure contain‐
ing the CRL to be signed. A pointer to the CSSM_FIELD array containing
the tag/value pairs of the fields to be signed. If the signing scope is
null, the Certificate Library module includes a default set of CRL
fields in the signing process. The number of entries in the sign scope
list. If the signing scope is not specified, the input scope size must
be zero. A pointer to the CSSM_DATA structure containing the signed
CRL. The SignedCrl->Data is allocated by the service provider and must
be deallocated by the application.
DESCRIPTION
This function signs a CRL using the private key and signing algorithm
specified in the CCHandle parameter. The result is a signed, encoded
certificate revocation list in SignedCrl. The unsigned CRL is specified
in the input UnsignedCrl. The UnsignedCrl is constructed using the
CSSM_CL_CrlCreateTemplate(), CSSM_CL_CrlSetFields(), CSSM_CL_CrlAdd‐
Cert(), and CSSM_CL_CrlRemoveCert() functions (for the CSSM API), or
their CL SPI equivalents.
The CCHandle must be context created using the function CSSM_CSP_Cre‐
ateSignatureContext() (CSSM API), or CSP_CreateSignatureContext()
(SPI). The context must specify the Cryptographic Services Provider
module, the signing algorithm, and the signing key that must be used to
perform this operation. The context must also provide the passphrase or
a callback function to obtain the passphrase required to access and use
the private key.
The fields included in the signing operation are identified by the OIDs
in the optional SignScope array.
Once the CRL has been signed it cannot be modified. This means that
entries cannot be added or removed from the CRL through application of
the CSSM_CL_CrlAddCert() or CSSM_CL_CrlRemoveCertCSSM_CL_CrlRemove‐
Cert() (or their CL SPI equivalent operations. A signed CRL can be ver‐
ified, applied to a data store, and searched for values.
The memory for the SignedCrl->Data output is allocated by the service
provider using the calling application's memory management routines.
The application must deallocate the memory.
RETURN VALUE
A CSSM_RETURN value indicating success or specifying a particular error
condition. The value CSSM_OK indicates success. All other values repre‐
sent an error condition.
ERRORS
Errors are described in the CDSA technical standard. See
CDSA_intro(3). CSSMERR_CL_INVALID_CONTEXT_HANDLE CSS‐
MERR_CL_INVALID_CRL_POINTER CSSMERR_CL_UNKNOWN_FORMAT CSS‐
MERR_CL_INVALID_FIELD_POINTER CSSMERR_CL_UNKNOWN_TAG CSS‐
MERR_CL_INVALID_SCOPE CSSMERR_CL_SCOPE_NOT_SUPPORTED CSS‐
MERR_CL_INVALID_NUMBER_OF_FIELDS CSSMERR_CL_CRL_ALREADY_SIGNED
SEE ALSO
Books
Intel CDSA Application Developer's Guide (see CDSA_intro(3))
Reference Pages
Functions for the CSSM API:
Functions: CSSM_CL_CrlVerify(3), CSSM_CL_CrlVerifyWithKey(3)
Functions for the CLI SPI:
CL_CrlVerify(3), CL_CrlVerifyWithKey(3)CL_CrlSign(3)