For a dishonest principal to make use of an intercepted certificate of identity, it must succeed in decrypting it. In order to make the task of decryption more difficult, a certificate of identity has a limited lifespan; and, once it expires, the associated login context is no longer valid.
Because this security feature may inconvenience users, an application may wish to warn a user when the certificate of identity is about to expire. The sec_login_get_expiration( ) routine returns the expiration date of a certificate of identity. When a certificate of identity is about to expire, the application may call sec_login_refresh_identity( ), which may be used to refresh any login context.
Similarly, a server principal may need to determine whether a certificate of identity may expire during some long network operation and, if the certificate of identity is likely to expire, refresh it to ensure that the operation is not prevented from completion. Following is an example:
sec_login_get_expiration (login_context,&expire_time,&st);
if (expire_time < (current_time + operation_duration))
{
if (sec_login_refresh_identity(login_context,&st))
{
...identity has changed and must be validated again...
}
else
{
...login context cannot be renewed...
exit(0);
}
}
operation();
Because sec_login_refresh_identity( ) acquires a certificate of identity, refreshed contexts must be revalidated with sec_login_validate_identity( ) or sec_login_valid_and_cert_ident(~) before they can be used.
The expiration date of a login context has no meaning with respect to local identity information; for the same reason, sec_login_refresh_identity( ) cannot refresh a login context that has been authenticated locally.