HP UX Security Products and Features Software manual Common Security Services Manager Cssm

Page 18

Common Data Security Architecture (CDSA) White Paper

Common Security Services Manager (CSSM) API

Common Security Services Manager (CSSM)

API

The Common Security Services Manager (CSSM) provides the general-purpose core services of the CDSA and operates on behalf of its libraries and add-in modules, such as the cryptographic service provider (CSP) or certificate library (CL). The CSSM APIs support modules with functions to install and uninstall modules, dynamically select and load modules, and query modules about features and status.

System administration utilities use CSSM install and uninstall functions to maintain add-in modules on a local system. A module might implement a range of services across the CSSM APIs or restrict its purpose to a single CSSM category of service (for example, certificate library services only).

The CSSM is designed for add-in modules to be attached by means of an assigned, Globally Unique ID (GUID) with a set of descriptive attributes. Applications attach the module by specifying the module’s GUID. The attach function returns a handle representing a unique pairing between the caller and the attached module. This handle is then used as an input parameter when requesting services from the attached module; that is, CSSM uses the handle to match the caller with the appropriate service module. The calling application uses the handle to obtain services implemented by the attached module. Each call to attach is an independent request with its own handle and an independent execution state.

Before attaching a service module, an application can query the CSSM module information files about the system’s installed modules, their capabilities and functions, and the module’s GUID. Applications use this information to select a module. Applications can also query about CSSM itself.

The CSSM memory management functions are a class of routines for reclaiming memory allocated by CSSM on behalf of an application from the CSSM memory heap. When CSSM allocates objects from its own heap and returns them to an application, the application must inform CSSM when it no longer requires the use of that object. Applications use specific APIs to free CSSM-allocated memory. When an application invokes a free function, CSSM can choose to retain or free the indicated object, depending on other conditions known only to CSSM. In this way CSSM and applications work together to manage these objects in the CSSM memory heap.

As a security framework in which applications run, CSSM safeguards the environmental integrity against threat of viruses and other forms of impersonation. CSSM reduces the risk of these threats by requiring digitally signed modules and by checking dynamically the identity and integrity of CSP modules at attach time. This verification ensures that any modification, whether accidental or malicious, may be detected prior to performing trusted

18

Chapter 1

Page 17 Page 19
Image 18
Page 17 Page 19
Contents Contents Sample Install Program Generating the Credential File Migrating to Cdsa ZIP format Private Key FileCommon Data Security Architecture Cdsa White Paper ChapterGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms HP’s Implementation of Cdsa What Is CDSA?What Is CDSA? HP-UX Cdsa Product OverviewWhat Is CDSA? Cdsa Components in HP-UX Cdsa Components on HP-UXWhat Is CDSA? Cdsa in the Context of Other Security Applications Example of Cdsa APIs Used for Applications vs. SharedLibraries CDSA, shown relative to higher-level protocols and user ApplicationsHP’s Paradigm Shift Common Security Services Manager Cssm Common Security Services Manager Cssm APICssm Module Information Files Cssmnotlongfilenamesys Public/Private Key Algorithms Cryptography Service Provider CSP APICryptography Service Provider CSP API Dual Asymmetric Key AlgorithmSymmetric Key Algorithm Authenticating a Digital Signature RC2 or RC4Cryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Extensibility Functions Supported Functions and AlgorithmsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID Certificate Library Services CL API Certificate Library Services CL APIWhat is a Certificate? Outline of a Generic CertificateCertificate Revocation List CRL and Operations Interaction between Certificate Library and Application Operations on Certificates Interaction between Cssm and Certificate Library InterfaceCertificate Library Interface Certificate Library Services CL API Certificate Library Services CL API Certificate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Introduction to Add-in Modules Role of Add-In Modules in the Cdsa FrameworkIntroduction to Add-in Modules Design Criteria for Add-In Modules Global Unique Identifier GuidInitializer Code to Register Services with Cssm Add-In Module Install ProgramTo Install an Add-In Library How to Create a Cdsa Add-In Module for How to Create a Cdsa Add-In Module for HP-UXLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Certificate Chain Validating the CSP CredentialsCredential File Validating the CSP CredentialsValidation Sequence Verifying a Certificate ChainIntegrity Check prior to Loading Verifying the signature on the .SF fileSHA-1 Self Check 11 Verifying the validity of the CSP libraryBilateral Authentication In-Memory vs. Static CheckingConcluding Remarks Further ReferencesConcluding Remarks Concluding Remarks Sample Install Program Appendix aAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Generating the Credential File Appendix BHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionSample Add-in Module Code Appendix CAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Functions Needed for Add-in Module Integrity Appendix D 105106 Trouble Shooting HP Cdsa Appendix E 107Cdsa API Errors Cdsa API Errors108 Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 Cdsa Start Up Errors when calling CSSMModuleAttach Cdsa Start Up Errors when calling CSSMModuleAttach118 Appendix E 119 Using DDE to Debug Cdsa Applications Debugging Core Dumps120 Migrating to Cdsa Appendix F 121122 Appendix F 123 DL data structures 124ZIP format Appendix G 125126 Appendix G 127 128 Private Key File Appendix H 129Private Key File Contention 130
Related manuals
Manual 62 pages 27.73 Kb
Top Page Image Contents