HP UX Security Products and Features Software manual Design Criteria for Add-In Modules

Page 49

Common Data Security Architecture (CDSA) White Paper

Introduction to Add-in Modules

supports. The function tables consist of pointers to the service functions supported by the module and are created dynamically when the module is registered. Whenever the application makes function calls, CSSM uses these function pointers to call the appropriate module service.

When a module is detached, CSSM calls the Terminate function which allows the module to perform any necessary cleanup actions. CSSM calls the module’s EventNotify function to notify the add-in module as part of every attach and detach operation.

Interaction with add-in modules is not limited to CSSM and applications. Modules can use one another to implement their functionality.

For example, a CL module can use the capabilities of a CSP module to perform the cryptographic operations of sign and verify. In that case, the CL could package the certificate or CRL fields to be signed or verified, attach to the appropriate CSP module, and call CSSM_SignData or CSSM_VerifyData to perform the operation. Similarly, other CSSM add-in modules may use the CL module to implement their functionality.

The integrity services of CSSM can be used by CSP add-in modules to verify their own integrity and that of the CSSM. This aids in CSSM’s detection and protection against malicious attacks.

Design Criteria for Add-In Modules

Because a CDSA add-in module must work within the CDSA framework, it must comply with CDSA design criteria.

If the add-in module is a CSP, it must have a set of digital credentials that are verified by CSSM when the module is attached.

The add-in module installation program must create module information files using CSSM_ModuleInstall. The module information files are used for informing CSSM and applications of the module’s identity and capabilities.

The sequence of module initialization and verification steps must occur prior to dynamic binding of the CSP module with CSSM.

Global Unique Identifier (GUID)

Each add-in module is identified by a global unique identifier (GUID). The GUID is needed when the module is created, installed and used by the CSSM, applications, and any module. For example, the GUID is used by:

*the CSSM module information files to expose add-in module availability and capabilities to applications.

Chapter 1

49

Page 48 Page 50
Image 49
Page 48 Page 50
Contents Contents Migrating to Cdsa ZIP format Private Key File Sample Install Program Generating the Credential FileChapter Common Data Security Architecture Cdsa White PaperGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms What Is CDSA? What Is CDSA?HP’s Implementation of Cdsa HP-UX Cdsa Product OverviewWhat Is CDSA? Cdsa Components on HP-UX Cdsa Components in HP-UXWhat Is CDSA? Example of Cdsa APIs Used for Applications vs. Shared Cdsa in the Context of Other Security ApplicationsLibraries Applications CDSA, shown relative to higher-level protocols and userHP’s Paradigm Shift Common Security Services Manager Cssm API Common Security Services Manager CssmCssm Module Information Files Cssmnotlongfilenamesys Cryptography Service Provider CSP API Cryptography Service Provider CSP APIPublic/Private Key Algorithms Dual Asymmetric Key AlgorithmSymmetric Key Algorithm RC2 or RC4 Authenticating a Digital SignatureCryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Supported Functions and Algorithms Extensibility FunctionsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID What is a Certificate? Certificate Library Services CL APICertificate Library Services CL API Outline of a Generic CertificateCertificate Revocation List CRL and Operations Interaction between Certificate Library and Application Interaction between Cssm and Certificate Library Interface Operations on CertificatesCertificate Library Interface Certificate Library Services CL API Certificate Library Services CL API Certificate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Role of Add-In Modules in the Cdsa Framework Introduction to Add-in ModulesIntroduction to Add-in Modules Global Unique Identifier Guid Design Criteria for Add-In ModulesInitializer Add-In Module Install Program Code to Register Services with CssmTo Install an Add-In Library How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module forLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Credential File Validating the CSP CredentialsCertificate Chain Validating the CSP CredentialsVerifying a Certificate Chain Validation SequenceVerifying the signature on the .SF file Integrity Check prior to LoadingSHA-1 11 Verifying the validity of the CSP library Self CheckIn-Memory vs. Static Checking Bilateral AuthenticationFurther References Concluding RemarksConcluding Remarks Concluding Remarks Appendix a Sample Install ProgramAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Appendix B Generating the Credential FileHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionAppendix C Sample Add-in Module CodeAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Appendix D 105 Functions Needed for Add-in Module Integrity106 Appendix E 107 Trouble Shooting HP CdsaCdsa API Errors Cdsa API Errors108 Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 Cdsa Start Up Errors when calling CSSMModuleAttach Cdsa Start Up Errors when calling CSSMModuleAttach118 Appendix E 119 Debugging Core Dumps Using DDE to Debug Cdsa Applications120 Appendix F 121 Migrating to Cdsa122 Appendix F 123 124 DL data structuresAppendix G 125 ZIP format126 Appendix G 127 128 Appendix H 129 Private Key File130 Private Key File Contention
Related manuals
Manual 62 pages 27.73 Kb
Top Page Image Contents