HP UX Security Products and Features Software manual Certificate Revocation List CRL and Operations

Page 35

Common Data Security Architecture (CDSA) White Paper

Certificate Library Services (CL) API

Certificates may have various classifications, and increasingly, developers are wanting to include more information in a certificate. The CL module bundled as part of CDSA allows you to create extensions, which can contain additional data.

Each field of a certificate format consists of a tag/value pair. The tag is is an object identifier (OID) that references specific data types or data structures within the certificate or CRL and indicates what kind of information the field contains. The value is the actual data corresponding to the field. The OIDs are defined in the header files oidscert.h and oidscrl.h, located in the /usr/include/cdsa/ directory. The OID structure is then passed to CSSM_CL_CertCreateTemplate(), to create the certificate.

Field management operations allow an application to retrieve fields from a certificate without knowledge of the certificate’s content or format. For example, CSSM_CL_CertGetFirstFieldValue() returns the value of a designated certificate field.

In order for a certificate to be valid, it must be signed. To sign a certificate, pass the template (output of CSSM_CL_CertCreateTemplate()) to CSSM_CL_CertSign(). Once a certificate is signed, its fields cannot be modified. However, they can be queried for their values using the CSSM certificate interface (for example, CSSM_CL_CertGetFirstFieldValue).

The CL bundled with HP-UX as part of CDSA allows for self-signing; that is, the CA and recipient can be the same. The CL can also receive someone else’s certificate and verify it.

Before using a certificate, you must verify that it is still valid. (For example, is the signature valid? Are the dates still valid? Certificates expire.) To do so, use the API CSSM_CL_CertVerify().

Certificate Revocation List (CRL) and Operations

Certificates can be withdrawn from use or rendered invalid by placing them on a certificate revocation list (CRL). An application generates a CRL by using the API CSSM_CL_CrlCreateTemplate(). An X.509v2 CRL has the following structure:

version

signature algorithm

Distinguished name field of issuer

Issue date of CRL

Date next CRL will be issued

list of revoked certificates

numbers and sequences of extensions, if present

The revoked certificates are linked as a list with each node having the following fields:

Chapter 1

35

Page 34 Page 36
Image 35
Page 34 Page 36
Contents Contents Migrating to Cdsa ZIP format Private Key File Sample Install Program Generating the Credential FileChapter Common Data Security Architecture Cdsa White PaperGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms HP-UX Cdsa Product Overview What Is CDSA?What Is CDSA? HP’s Implementation of CdsaWhat Is CDSA? Cdsa Components on HP-UX Cdsa Components in HP-UXWhat Is CDSA? Libraries Cdsa in the Context of Other Security ApplicationsExample of Cdsa APIs Used for Applications vs. Shared Applications CDSA, shown relative to higher-level protocols and userHP’s Paradigm Shift Common Security Services Manager Cssm API Common Security Services Manager CssmCssm Module Information Files Cssmnotlongfilenamesys Dual Asymmetric Key Algorithm Cryptography Service Provider CSP APICryptography Service Provider CSP API Public/Private Key AlgorithmsSymmetric Key Algorithm RC2 or RC4 Authenticating a Digital SignatureCryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Supported Functions and Algorithms Extensibility FunctionsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID Outline of a Generic Certificate Certificate Library Services CL APIWhat is a Certificate? Certificate Library Services CL APICertificate Revocation List CRL and Operations Interaction between Certificate Library and Application Certificate Library Interface Operations on CertificatesInteraction between Cssm and Certificate Library Interface Certificate Library Services CL API Certificate Library Services CL API Certificate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Introduction to Add-in Modules Introduction to Add-in ModulesRole of Add-In Modules in the Cdsa Framework Global Unique Identifier Guid Design Criteria for Add-In ModulesInitializer Add-In Module Install Program Code to Register Services with CssmTo Install an Add-In Library How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module forLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Validating the CSP Credentials Validating the CSP CredentialsCredential File Certificate ChainVerifying a Certificate Chain Validation SequenceVerifying the signature on the .SF file Integrity Check prior to LoadingSHA-1 11 Verifying the validity of the CSP library Self CheckIn-Memory vs. Static Checking Bilateral AuthenticationConcluding Remarks Concluding RemarksFurther References Concluding Remarks Appendix a Sample Install ProgramAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Appendix B Generating the Credential FileHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionAppendix C Sample Add-in Module CodeAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Appendix D 105 Functions Needed for Add-in Module Integrity106 Appendix E 107 Trouble Shooting HP Cdsa108 Cdsa API ErrorsCdsa API Errors Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 118 Cdsa Start Up Errors when calling CSSMModuleAttachCdsa Start Up Errors when calling CSSMModuleAttach Appendix E 119 120 Using DDE to Debug Cdsa ApplicationsDebugging Core Dumps Appendix F 121 Migrating to Cdsa122 Appendix F 123 124 DL data structuresAppendix G 125 ZIP format126 Appendix G 127 128 Appendix H 129 Private Key File130 Private Key File Contention
Related manuals
Manual 62 pages 27.73 Kb
Top Page Image Contents