HP UX Security Products and Features Software manual

Page 36

Common Data Security Architecture (CDSA) White Paper

Certificate Library Services (CL) API

Serial number of the revoked certificate

Date on which the revocation occurred

Number of extensions

Pointers to extensions, if present

The certificate library manages the translation from the certificate to be revoked to its representation in the CRL.

The contents of the CRL can be queried for its revocation records, certificates, or individual CRL fields.Field management APIs allow you to set or get CRL fields, or to add or remove certificates from the certificate revocation list.

The entire CRL can be signed or verified, to ensure the integrity of its contents as it is passed between systems. Certificates can be revoked or unrevoked by adding or removing them from the CRL at any time before the CRL is signed.

Each time a CRL is changed, it must be signed to maintain its validity.

Interaction between Certificate Library and Application

Making the CL available to an application requires coordination of CSSM, CL module, and application.

An application determines the availability and capabilities (for example, certificate types and fields) of the CL module by querying the CSSM module information files.

The application then requests that CSSM attach the CL.

The CSSM returns a CL handle to the application that uniquely identifies the pairing of the application thread to the CL module instance. This handle is used by the application to identify the CL in future function calls that the CSSM passes from an application to the CL.

The application must allocate and deallocate all memory passed into or out of the CL module. It does so when the CSSM passes the handle identifying the application and module pairing to the CL.

CL APIs manipulate memory-based objects only. The CL is not responsible for ensuring the persistence of those objects (certificates, CRLs, and others); that responsibility lies with an application and/or a data library.

At attach time, the CSSM receives the certificate library’s function table, making the CL functions accessible to the CSSM. Any unsupported function has a NULL function pointer in the function table.

A pass-through function of the CLI allows access to services beyond those defined in the CSSM API, based on the data format of the certificates and CRLs manipulated by the library. The CSSM passes an operation identifier and input parameters from the application to the

36

Chapter 1

Page 35 Page 37
Image 36
Page 35 Page 37
Contents Contents Sample Install Program Generating the Credential File Migrating to Cdsa ZIP format Private Key FileCommon Data Security Architecture Cdsa White Paper ChapterGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms What Is CDSA? What Is CDSA?HP’s Implementation of Cdsa HP-UX Cdsa Product OverviewWhat Is CDSA? Cdsa Components in HP-UX Cdsa Components on HP-UXWhat Is CDSA? Cdsa in the Context of Other Security Applications Example of Cdsa APIs Used for Applications vs. SharedLibraries CDSA, shown relative to higher-level protocols and user ApplicationsHP’s Paradigm Shift Common Security Services Manager Cssm Common Security Services Manager Cssm APICssm Module Information Files Cssmnotlongfilenamesys Cryptography Service Provider CSP API Cryptography Service Provider CSP APIPublic/Private Key Algorithms Dual Asymmetric Key AlgorithmSymmetric Key Algorithm Authenticating a Digital Signature RC2 or RC4Cryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Extensibility Functions Supported Functions and AlgorithmsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID Certificate Library Services CL API What is a Certificate?Certificate Library Services CL API Outline of a Generic CertificateCertificate Revocation List CRL and Operations Interaction between Certificate Library and Application Operations on Certificates Interaction between Cssm and Certificate Library InterfaceCertificate Library Interface Certificate Library Services CL API Certificate Library Services CL API Certificate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Introduction to Add-in Modules Role of Add-In Modules in the Cdsa FrameworkIntroduction to Add-in Modules Design Criteria for Add-In Modules Global Unique Identifier GuidInitializer Code to Register Services with Cssm Add-In Module Install ProgramTo Install an Add-In Library How to Create a Cdsa Add-In Module for How to Create a Cdsa Add-In Module for HP-UXLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Validating the CSP Credentials Credential FileCertificate Chain Validating the CSP CredentialsValidation Sequence Verifying a Certificate ChainIntegrity Check prior to Loading Verifying the signature on the .SF fileSHA-1 Self Check 11 Verifying the validity of the CSP libraryBilateral Authentication In-Memory vs. Static CheckingConcluding Remarks Further ReferencesConcluding Remarks Concluding Remarks Sample Install Program Appendix aAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Generating the Credential File Appendix BHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionSample Add-in Module Code Appendix CAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Functions Needed for Add-in Module Integrity Appendix D 105106 Trouble Shooting HP Cdsa Appendix E 107Cdsa API Errors Cdsa API Errors108 Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 Cdsa Start Up Errors when calling CSSMModuleAttach Cdsa Start Up Errors when calling CSSMModuleAttach118 Appendix E 119 Using DDE to Debug Cdsa Applications Debugging Core Dumps120 Migrating to Cdsa Appendix F 121122 Appendix F 123 DL data structures 124ZIP format Appendix G 125126 Appendix G 127 128 Private Key File Appendix H 129Private Key File Contention 130
Related manuals
Manual 62 pages 27.73 Kb
Top Page Image Contents