HP UX Security Products and Features Software Validating the CSP Credentials, Credential File

Page 65

Common Data Security Architecture (CDSA) White Paper

Validating the CSP Credentials

Validating the CSP Credentials

Before a CSP add-in module can be loaded by CSSM, CDSA must ensure that the module has not been tampered with. This is done by performing a series of verifications on the shared library.

Every CSP add-in module has a corresponding credential file that contains a digitally signed hash of the CSP shared library. Every time an application uses the CSP, a new SHA-1 hash of the CSP shared library is calculated and compared with the pre-calculated hash in the shared library’s corresponding credential file.

CDSA operations proceed only when the pre-calculated hash and the dynamically calculated hash match exactly and the signature authenticating the pre-calculated hash is verified.

The signature algorithm utilized is DSA, the hash algorithm SHA-1.

The Credential File

The credential file is a ZIP-formatted file containing three uncompressed files:

.MF file, containing the hash of the shared library and the library name. Also called manifest file.

.SF file, containing the hash of data in the .MF file This hash serves to validate the contents of the .MF file. Also called signature file.

.DSA file, containing the signer’s DSA signature on the .SF file. The .DSA file also contains X.509v3 certificates.

.DSA file contents are in a PKCS7 format [4].

For specifications of ZIP format, see “ZIP format” on page 333.

X.509 Certificate Chain

The embedded certificates provide a validation path from the root to the signer’s certificate.

The HP CDSA software has one root public key embedded in its framework. If the X.509 certificate chain cannot be constructed using the embedded key, the credential file cannot be validated.

The certificate chaining concept is illustrated in Figure 1-8 on page 66. Certificate 1 is signed with the root private key. Certificate 1 can be verified using the public key in Certificate 0. Certificate 2 is signed with Certificate 1’s private key and can be verified using Certificate 1’s public key. Certificate 3 is signed with Certificate 2’s private key and can be verified using

Chapter 1

65

Page 64 Page 66
Image 65
Page 64 Page 66
Contents Contents Migrating to Cdsa ZIP format Private Key File Sample Install Program Generating the Credential FileChapter Common Data Security Architecture Cdsa White PaperGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms What Is CDSA? What Is CDSA?HP’s Implementation of Cdsa HP-UX Cdsa Product OverviewWhat Is CDSA? Cdsa Components on HP-UX Cdsa Components in HP-UXWhat Is CDSA? Libraries Cdsa in the Context of Other Security ApplicationsExample of Cdsa APIs Used for Applications vs. Shared Applications CDSA, shown relative to higher-level protocols and userHP’s Paradigm Shift Common Security Services Manager Cssm API Common Security Services Manager CssmCssm Module Information Files Cssmnotlongfilenamesys Cryptography Service Provider CSP API Cryptography Service Provider CSP APIPublic/Private Key Algorithms Dual Asymmetric Key AlgorithmSymmetric Key Algorithm RC2 or RC4 Authenticating a Digital SignatureCryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Supported Functions and Algorithms Extensibility FunctionsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID What is a Certificate? Certificate Library Services CL APICertificate Library Services CL API Outline of a Generic CertificateCertificate Revocation List CRL and Operations Interaction between Certificate Library and Application Certificate Library Interface Operations on CertificatesInteraction between Cssm and Certificate Library Interface Certificate Library Services CL API Certificate Library Services CL API Certificate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Introduction to Add-in Modules Introduction to Add-in ModulesRole of Add-In Modules in the Cdsa Framework Global Unique Identifier Guid Design Criteria for Add-In ModulesInitializer Add-In Module Install Program Code to Register Services with CssmTo Install an Add-In Library How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module forLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Credential File Validating the CSP CredentialsCertificate Chain Validating the CSP CredentialsVerifying a Certificate Chain Validation SequenceVerifying the signature on the .SF file Integrity Check prior to LoadingSHA-1 11 Verifying the validity of the CSP library Self CheckIn-Memory vs. Static Checking Bilateral AuthenticationConcluding Remarks Concluding RemarksFurther References Concluding Remarks Appendix a Sample Install ProgramAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Appendix B Generating the Credential FileHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionAppendix C Sample Add-in Module CodeAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Appendix D 105 Functions Needed for Add-in Module Integrity106 Appendix E 107 Trouble Shooting HP Cdsa108 Cdsa API ErrorsCdsa API Errors Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 118 Cdsa Start Up Errors when calling CSSMModuleAttachCdsa Start Up Errors when calling CSSMModuleAttach Appendix E 119 120 Using DDE to Debug Cdsa ApplicationsDebugging Core Dumps Appendix F 121 Migrating to Cdsa122 Appendix F 123 124 DL data structuresAppendix G 125 ZIP format126 Appendix G 127 128 Appendix H 129 Private Key File130 Private Key File Contention
Related manuals
Manual 62 pages 27.73 Kb
Top Page Image Contents