• Home
  • History
  • Annotate
  • only in this directory
NameDateSize

..07-Oct-201497

certs/H07-Oct-20147

MakefileH A D16-Jun-2014857

READMEH A D16-Jun-20142.3 KiB

vfyAllCertsH A D16-Jun-2014158

vfyCacCert.cppH A D16-Jun-201412.7 KiB

README

1                               vfyCacCert README
2							  last update 12/4/02
3
4This directory contains a fully working example of how a CAC certificate must be verified. The input to the program, via argv[1], is a raw certificate (which is in the same format as a cert obtained from a CAC). The ultimate verification is performed by the CSSM_TP_CertGroupVerify() call. Most of this program demostrates what you have to do between the time you have a CAC cert in hand and the time you call CSSM_TP_CertGroupVerify(). The main "wrapper" for the rather ugly CSSM_TP_CertGroupVerify() is vfyCert() in vfyCacCert.cpp. 
5
6The program attempts to open two different system-wide keychains, handles to which are passed into vfyCert(). Any system code which uses CSSM_TP_CertGroupVerify() to verify a CAC cert is expected to open these same two keychains. These keychains are:
7
8System/Library/Keychains/X509Certificates
9  
10  This contains intermediate certs which are required for CAC verification. 
11  Attempting to verify a CAC cert without this keychain present in your
12  system will certainly result in failure (though for illustrative
13  purposes, vfyCacCert will go ahead and ask CSSM_TP_CertGroupVerify() to
14  do its thing without this keychain).
15  
16/private/var/db/crls/crlcache.db
17
18  This is a cache of CRLs which have been recently fetched from the net.
19  VfyCacCert() will work without this keychain but verification is usually
20  MUCH faster if the keychain is there. 
21    
22  The purpose of the CRL cache is to avoid doing an LDAP fetch every time you
23  try to verify a CAC. Entries in the cache go stale in a couple of days; the 
24  TP detects this and fetches new CRLs as needed, stuffing newly fetched CRLs
25  back into the cache. 
26
27  The TP, in conjuntion with the crlrefresh tool, will create this 
28  keychain if it does not exist. Your system must, however, contain
29  the directory /var/db/crls/, owned by root, with permissions 0777.
30  Note: Secrutiy-Sphinx2 creates this directory properly; the current 
31  Panther tree as of 12/4/02 creates the directory but fails to give
32  it the proper 0777 permission. TO use this on Panther, you have
33  to su to root and make that change yourself. 
34  
35  Eventually the crlrefresh tool, which performs automatic pruning and 
36  refreshing of the CRL cache, will be run as a crontab job.
37  
38