The files required
for the IBM Standard Trust Policy Library, Version 1.0 are:
The IBM Standard Trust Policy Library provides a simple generic service
for verifying chains of X.509 certificates. The current version does not
support operations that require DL operations. This module expects X.509
Version 3 signed certificates in ASN/DER-encoded format. In order to verify
a given certificate, the application should supply the complete chain (see Table 7). This is to be used in conjunction
with the IBM Certificate Library, Version 1.0 service provider and the IBM
Software Service Cryptographic Provider, Version 1.0.
Table 7. IBM Standard Trust Policy Library OCSF FunctionsFunctions | Supported | Comments |
---|
CSSM_TP_CertSign | No | | CSSM_TP_CertRevoke | No | | CSSM_TP_CrlSign | No | | CSSM_TP_CrlVerify | No | | CSSM_TP_ApplyCrlToDb | No | | CSSM_TP_CertGroupConstruct | No | | CSSM_TP_CertGroupPrune | No | | CSSM_TP_CertGroupVerify | Yes | See Note 1 | CSSM_TP_PassThrough | No | |
Notes:
- CSSM_TP_CertGroupVerify - The application
should supply one anchor certificate and an ordered chain
of certificates in the CertToBeVerified argument.
These function arguments
are ignored: Evidence, EvidenceSize, Action, policyIdentifers, NumberOfPolicyIdentifiers,
VerificationAbortOn, VerifyScope, ScopeSize, DBList, Data.
This function
returns these error codes as shown in Table 8.
Table 8. CSSM_TP_CertGroupVerify Error CodesError Code | Description |
---|
CSSM_TP_INVALID_TP_HANDLE | TPHandle argument is NULL or invalid. | CSSM_TP_INVALID_CL_HANDLE | CLHandle argument is NULL or invalid. | CSSM_TP_INVALID_CSP_HANDLE | CSPHandle argument is NULL or invalid. | CSSM_TP_INVALID_DATA_POINTER | CertToBeVerified argument is NULL or invalid. This argument
is invalid if the length is set to 0 or the pointer to data is NULL. | CSSM_TP_INVALID_CC_HANDLE | This error occurs if TP is unable to create a cryptographic
context using the supplied CSPHandle and the certificates. | CSSM_TP_ANCHOR_NOT_SELF_SIGNED | The supplied anchor certificate is not self-signed. | CSSM_TP_ANCHOR_NOT_FOUND | The supplied anchor certificate is not the anchor for any
of the certificates in the supplied chain. | CSSM_TP_CERT_VERIFY_FAIL | The supplied certificate chain cannot be verified. |
|