Validation Examples

The following two examples illustrate CDSA file validation. The first example validates a file called HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED and its associated manifest HP-AXPVMS-KERBEROS-V0200-6-1.PCSI _ESW.

$ VALIDATE :== $SYS$SYSTEM:CDSA$VALIDATE.EXE ! see SYS$MANAGER:CDSA$SYMBOLS.COM
$ VALIDATE /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED
Validation of /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED SUCCEEDED.

In the next example the same validation is attempted but the certificate used to create the manifest is revoked.

$ VALIDATE /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED
validation of /SYS$KIT/KERBEROS/HP-AXPVMS-KERBEROS-V0200-6-1.PCSI$COMPRESSED FAILED.
Error: CSSMERR_TP_CERT_REVOKED
Certificate has been revoked

The CDSA$VALIDATE_LIBSHR.EXE File

For applications that validate files programmatically, there is no need to call CDSA$VALIDATE.EXE. Applications that link directly with CDSA$VALIDATE_LIBSHR.EXE can call the routine CDSA_FileValidate for their validation needs. Note that CDSA_FileValidate also returns an OpenVMS style return: SS$_NORMAL indicating success and 0 indicating failure. In addition, if CDSA_Ret_Status is not a NULL value passed in, then the address of a CDSA return status is assigned. The calling application must allocate and deallocate memory for CDSA_Ret_Status. Currently, the target file must be passed in as a UNIX style path name as in CDSA$VALIDATE.EXE.

In order for the validation process to succeed, the latest signed CRL published by the CA must be in the CDSA$SYSDIR:[CRL] directory. This file is CDSA$SECURE_DELIVERY.S_CRL and is used to make sure that the manifest file was not signed by a certificate that has already been revoked.

For more information, see the API “CDSA_FileValidate” on page 73.