The objective of validation is to determine the authenticity
of the signer and the contents of the target file. These tasks are
just two of the many pieces of functionality that CDSA uses to perform
bilateral authentication of the calling and called programs. Secure
Delivery performs both authentication and validation.
CDSA performs file validation in two ways:
utility. The user invokes this utility specifying a target file
argument. This utility is described in “CDSA$VALIDATE.EXE”.
The following two examples illustrate CDSA file validation.
The first example validates a file called HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED
and its associated manifest HP-AXPVMS-KERBEROS-V0200-6-1.PCSI _ESW.
$ VALIDATE :== $SYS$SYSTEM:CDSA$VALIDATE.EXE ! see SYS$MANAGER:CDSA$SYMBOLS.COM $ VALIDATE /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED Validation of /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED SUCCEEDED.
In the next example the same validation is attempted but the
certificate used to create the manifest is revoked.
$ VALIDATE /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED validation of /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED FAILED. Error: CSSMERR_TP_CERT_REVOKED Certificate has been revoked
For applications that validate files programmatically, there
is no need to call CDSA$VALIDATE.EXE. Applications that link directly
with CDSA$VALIDATE_LIBSHR.EXE can call the routine CDSA_FileValidate for
their validation needs. Note that CDSA_FileValidate also returns
an OpenVMS style return: SS$_NORMAL indicating success and 0 indicating
failure. In addition, if CDSA_Ret_Status is not a NULL value passed
in, then the address of a CDSA return status is assigned. The calling
application must allocate and deallocate memory for CDSA_Ret_Status.
Currently, the target file must be passed in as a UNIX style path
name as in CDSA$VALIDATE.EXE.
In order for the validation process to succeed, the latest
signed CRL published by the CA must be in the CDSA$SYSDIR:[CRL]
directory. This file is CDSA$SECURE_DELIVERY.S_CRL and is used to
make sure that the manifest file was not signed by a certificate
that has already been revoked.
For more information, see the API “CDSA_FileValidate” on