HP UX Security Products and Features Software manuals

130 pages250.55 Kb

1Contents
- 1. Common Data Security Architecture (CDSA) White Paper
- 2A.Sample Install Program
- B.Generating the Credential File
- C.Sample Add-inModule Code
- D.Functions Needed for Add-inModule Integrity
- E.Trouble Shooting HP CDSA
- F.Migrating to CDSA
- G.ZIP format
- H.The Private Key File
3Common Data Security
Architecture (CDSA) White
Paper
- Glossary of CDSA Terms and Acronyms
- 4Glossary of CDSA Terms and Acronyms
- 11HP’s Implementation of CDSA
- 13CDSA Components in HP-UX
  - Use CSSM_CL* APIs for developing applications using the
  - CL shared library
  - Use CL_* APIs for developing CL add-inmodules
- 15CDSA in the Context of Other Security Applications
  - CDSA, shown relative to higher-levelprotocols and user
  - applications
- 16End User Applications
  - Higher-LevelSecurity Protocols (PKCS, SSL, S/MIME, IPSEC, SET, et al.)
- Common Security Services Manager (CSSM) APIs
  - Crypotgraphy
  - Certificate
  - Data Storage
  - Trust Policy
  - Services
  - Cryptography
  - Certificate
  - Data
  - Trust
  - Services
  - Storage
  - Policy
  - Provider
  - (CL)
  - (CSP)
  - (DL)
  - (TP)
- 17HP’s Paradigm Shift
  - Common Security Services Manager (CSSM) API
- 18Common Security Services Manager (CSSM)
- API
- 19CSSM Module Information Files
- 21Public/Private Key Algorithms
  - 22Symmetric Key Algorithm
  - 23Figure 1-6Symmetric Key Algorithm
  - [1]
  - RC2 or RC4
  - [2]
  - [3]
  - [4]
  - Authenticating a Digital Signature
  - 25Cryptography Service Provider (CSP) API
  - [1]
  - hash
  - [2]
  - [3]
  - [4]
  - [5]
  - [6]
  - [7]
  - [8]
- 26Interaction between CSP and Applications
- 27CSP Operations
  - 30Extensibility Functions
  - Supported Functions and Algorithms
  - 31Algorithm IDs, shown with keysize speciﬁcation in bits:
  - —CSSM_ALGID_CDMF;
  - The effective key size of a 64-bitCDMF key is 40 bits
  - —CSSM_ALGID_RC2; <=40, in any multiple of 8, between 8 and
  - —CSSM_ALGID_RC4; <=40, in any multiple of 8, between 8 and
  - —CSSM_ALGID_MD5, unlimited
  - —CSSM_ALGID_SHA1 unlimited
  - •Asymmetric Key Generation
  - Algorithm ID, shown with keysize speciﬁcation:
  - —CSSM_ALGID_RSA; 512, 768
  - —CSSM_ALGID_DSA; 512, 768
  - —CSSM_ALGID_DH; 512, 768
  - Only keys with 512 bits length are allowed for key derivation
  - 32•Digital Signature and Validation Algorithm ID:
  - —CSSM_ALGID_MD5WithRSA
  - —CSSM_ALGID_SHA1WithRSA
  - —CSSM_ALGID_SHA1WithDSA
  - •Parameter Generation Algorithm ID:
  - —CSSM_ALGID_DSA
  - —CSSM_ALGID_DH
  - •Key Wrapping and Unwrapping
  - Algorithm ID, shown with keysize speciﬁcation in bits:
  - —CSSM_ALGID_RSA;
  - —CSSM_ALGID_RC2; <=40
  - —CSSM_ALGID_RC4; <=40
  - •Key Derivation
  - Algorithm ID, shown with supported derived key type:
  - —CSSM_ALGID_DH; CDMF, RC2, RC4
  - —CSSM_ALGID_MD5_PBE; CDMF
  - —CSSM_ALGID_SHA1_PBE; CDMF
  - Purpose
  - Pass-ThroughID
- 34What is a Certiﬁcate
  - 35Certiﬁcate Revocation List (CRL) and Operations
  - 36Interaction between Certiﬁcate Library and Application
- 37Operations on Certiﬁcates
  - 38Certiﬁcate Operations
  - 39Certiﬁcate Revocation List Operations
  - 41output = CSSM_CL_PassThrough(CLHandle, PassThroughID, Input);
  - INTEL_X509V3_PASSTHROUGH_ENCODE_CERTIFICATE
  - INTEL_X509V3_PASSTHROUGH_DECODE_CERTIFICATE
  - INTEL_X509V3_PASSTHROUGH_FREE_CERTIFICATE
  - INTEL_X509V3_PASSTHROUGH_CREATE_ENCODED_NAME
  - 42INTEL_X509V3_PASSTHROUGH_ENCODE_NAME
  - INTEL_X509V3_PASSTHROUGH_DECODE_NAME
  - INTEL_X509V3_PASSTHROUGH_FREE_NAME
  - INTEL_X509V3_PASSTHROUGH_TRANSLATE_DERNAME_TO_STRING
  - INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSION
  - INTEL_X509V3_PASSTHROUGH_DECODE_EXTENSION
  - 43INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSIONS
  - INTEL_X509V3_PASSTHROUGH_DECODE_EXTENSIONS
  - INTEL_X509V3_PASSTHROUGH_FREE_EXTENSIONS
  - INTEL_X509V3_PASSTHROUGH_ALGID_TO_ALGOID
  - INTEL_X509V3_PASSTHROUGH_ALGOID_TO_ALGID
  - INTEL_X509V3_PASSTHROUGH_ENCODE_ALGID
  - 44INTEL_X509V3_PASSTHROUGH_DECODE_ALGID
  - INTEL_X509V3_PASSTHROUGH_FREE_ALGID
  - INTEL_X509V3_PASSTHROUGH_OPEN_FILE
  - INTEL_X509V3_PASSTHROUGH_CLOSE_FILE
  - INTEL_X509V3_PASSTHROUGH_WRITE_CERT_TO_FILE
  - INTEL_X509V3_PASSTHROUGH_READ_CERT_FROM_FILE
  - 45INTEL_X509V3_PASSTHROUGH_ENCODE_SIGNED_CRL
  - INTEL_X509V3_PASSTHROUGH_DECODE_SIGNED_CRL
  - INTEL_X509V3_PASSTHROUGH_FREE_SIGNED_CRL
  - INTEL_X509V3_PASSTHROUGH_ENCODE_TBS_CERTLIST
  - INTEL_X509V3_PASSTHROUGH_DECODE_TBS_CERTLIST
  - INTEL_X509V3_PASSTHROUGH_FREE_TBS_CERTLIST_DATA
  - INTEL_X509V3_PASSTHROUGH_ENCODE_REVOKED_CERTLIST
  - 46INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERTLIST
  - INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERTLIST
  - INTEL_X509V3_PASSTHROUGH_ENCODE_REVOKED_CERT_ENTRY
  - INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERT_ENTRY
  - INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERT_ENTRY
  - INTEL_X509V3_PASSTHROUGH_FIND_SUPPORTING_CSP
  - 47INTEL_X509V3_PASSTHROUGH_CSSMKEY_TO_SPKI
  - INTEL_X509V3_PASSTHROUGH_SPKI_TO_CSSMKEY
- 48The Role of Add-InModules in the CDSA Framework
- 49Design Criteria for Add-InModules
- Global Unique Identiﬁer (GUID)
- 50Initializer
- 51Code to Register Services with CSSM
- Add-InModule Install Program
  - 52To Install an Add-InLibrary
  - How to Create a CDSA Add-InModule for HP-UX
- 53How to Create a CDSA Add-InModule for
- HP-UX
  - Example:
- 55Implementing Integrity Checking in Add-InModules
  - 56Programming Self-CheckFunctions into the Initializer
  - ISL_SelfCheck ISL_SelfCheck does the following:
  - ISL_SelfCheck
  - •Retrieves self-checkcredentials from /usr/lib/cdsa/meta-inf
  - •Veriﬁes the add-inmodule
  - •ISL_RetrieveSelfCheckCredentials
  - •ISL_RetrieveSelfCheckSectionName
  - •ISL_RetrieveSelfCheckKey
  - 57ISL_RetrieveSelfCheckCredentials
  - 58GetModulePath
  - The credential name has the
  - form /usr/lib/cdsa/meta-inf/some-add-in.dsa
  - 59ISL_RetrieveSelfCheckKey
  - To make this function, the add-inprovider needs to ask HP to:
  - •create a DSA public/private key pair for the add-inprovider
  - •embed the public key in the function whose prototype is shown below
  - The private key will be used in the signing process to create a credential ﬁle
- 60Programming AddInAuthenticate() to Perform Bilateral Authentication
  - 61Please contact HP when you have need for these functions
  - Sample Code Showing Bilateral Authentication in AddInAuthenticate()
- 63Completing the Development of a CSP that Performs Integrity Checking
- 65The Credential File
- X.509 Certiﬁcate Chain
- 66The Validation Sequence
- 67Integrity Check prior to Loading
  - .DSA file, containing signer's DSA signature
  - DSA
  - Did the
  - Signer's
  - Verify
  - Signature
  - verify
  - public key
  - Yes
  - .SF file
  - containing hash
  - .SF file was
  - created by Signer
  - 68.SF file, containing hash of data in .MF file
  - Are
  - .MF or .SF file
  - SHA-1
  - has been
  - HASH
  - hashes
  - tampered with
  - function
  - equal
  - STOP
  - Proceed to verify hash of shared library
  - .MF file, containing hash of
  - shared library and library name
  - .CSP shared
  - library has been
  - CSP shared library is valid
- 69The Self Check
- 70Bilateral Authentication
- In-Memoryvs. Static Checking
- 71Further References
73Sample Install Program
- 74Appendix A
83Generating the Credential File
- HP Signing Policy for CSP Add-InVendors for CDSA Version
- 84HP Signing Policy for CSP Add-InVendors for CDSA Version
85C Sample Add-inModule Code
- 86Appendix C
105D Functions Needed for Add-inModule Integrity
- 106IMPORTANT
107E Trouble Shooting HP CDSA
- CDSA API Errors
- 108CDSA API Errors
  - Appendix E
  - CDSA Start Up Errors when calling CSSM_ModuleAttach
- 118CDSA Start Up Errors when calling
- CSSM_ModuleAttach
- 120Debugging Core Dumps
- Using DDE to Debug CDSA Applications
121Migrating to CDSA
- 122Appendix F
- 123The following CDSA 1.2 data structures may be changed or obsoleted in CDSA 2.0:
- CSSM core data structures:
- CL data structures:
- 124DL data structures:
- CSP data structures:
- TP data structures:
125G ZIP format
- 126Appendix G
129H The Private Key File