NAME
   TP_CertGroupPrune,
   CSSM_TP_CertGroupPrune - Remove locally issued anchor
                            certificates (CDSA)

 SYNOPSIS
   # include <cssm.h>

    API:
        CSSM_RETURN CSSMAPI CSSM_TP_CertGroupPrune
        (CSSM_TP_HANDLE TPHandle,
        CSSM_CL_HANDLE CLHandle,
        const CSSM_DL_DB_LIST *DBList,
        const CSSM_CERTGROUP *OrderedCertGroup,
        CSSM_CERTGROUP_PTR *PrunedCertGroup)
    SPI:
        CSSM_RETURN CSSMTPI TP_CertGroupPrune
        (CSSM_TP_HANDLE TPHandle,
        CSSM_CL_HANDLE CLHandle,
        const CSSM_DL_DB_LIST *DBList,
        const CSSM_CERTGROUP *OrderedCertGroup,
        CSSM_CERTGROUP_PTR *PrunedCertGroup)

 LIBRARY
   Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

 PARAMETERS
   TPHandle (input)
           The handle to the trust policy module to perform this
           operation.

   CLHandle (input/optional)
           The handle to the certificate library module that can be used
           to manipulate and parse the certgroup certificates and the
           certificates in the specified data stores. If no certificate
           library module is specified, the TP module uses an assumed CL
           module.

   DBList (input)
           A list of handle pairs specifying a data storage library
           module and a data store, identifying certificate databases
           containing certificates (and possibly other security objects)
           that are managed by that module. The data stores are searched
           for anchor certificates restricted to have local scope. These
           certificates are candidates for removal from the subject
           certificate group.

   OrderedCertGroup (input)
           The initial complete set of semantically-related certificates -
           for example, the result of a CSSM_TP_CertGroupConstruct()
           (CSSM API), or TP_CertGroupConstruct() (TP SPI), call - from
           which certificates will be selectively removed.

   PrunedCertGroup (output)
           A pointer to a certificate group containing those
           certificates which are verifiable credentials outside of
           the local system. The CSSM_CERTGROUP and its substructure
           is allocated by the service provider and must be deallocated
           by the application.

 DESCRIPTION
   This function removes any locally issued anchor certificates from a
   constructed certificate group. The prune operation can remove those
   certificates that have been signed by any local certificate authority,
   as it is possible that these certificates will not be meaningful on
   other systems.

   This operation can also remove additional certificates that can be
   added to the certificate group again using the
   CSSM_TP_CertGroupConstruct() (CSSM API), or TP_CertGroupConstruct()
   (TP SPI), operation. The pruned certificate group should be suitable
   for export to external hosts/entities, which can in turn reconstruct
   and verify the certificate group.

   The DBList parameter specifies a set of data stores containing
   certificates that should be pruned from the group.

 RETURN VALUE
   A CSSM_RETURN value indicating success or specifying a particular
   error condition. The value CSSM_OK indicates success. All other
   values represent an error condition.

 ERRORS
   Errors are described in the CDSA technical standard.  See CDSA.

        CSSMERR_TP_INVALID_CL_HANDLE
        CSSMERR_TP_INVALID_DL_HANDLE
        CSSMERR_TP_INVALID_DB_HANDLE
        CSSMERR_TP_INVALID_DB_LIST_POINTER
        CSSMERR_TP_INVALID_DB_LIST
        CSSMERR_TP_INVALID_CERTGROUP_POINTER
        CSSMERR_TP_INVALID_CERTGROUP
        CSSMERR_TP_INVALID_CERTIFICATE
        CSSMERR_TP_CERTGROUP_INCOMPLETE

 SEE ALSO
   Books

   Intel CDSA Application Developer's Guide (see CDSA)

   Other Help Topics

   Functions for the CSSM API:

       CSSM_TP_CertGroupConstruct
       CSSM_TP_CertGroupVerify

   Functions for the TP SPI:

       TP_CertGroupConstruct
       TP_CertGroupVerify