Contents
1. Common Data Security Architecture (CDSA) White Paper
A.Sample Install Program
B.Generating the Credential File
C.Sample Add-inModule Code
D.Functions Needed for Add-inModule Integrity
E.Trouble Shooting HP CDSA
Common Data Security
Architecture (CDSA) White
Paper
Glossary of CDSA Terms and Acronyms
Glossary of CDSA Terms and Acronyms
Page
Page
Page
Page
Page
Page
HP’s Implementation of CDSA
Page
CDSA Components in HP-UX
Page
Use CSSM_CL* APIs for developing applications using the
CL shared library
Use CL_* APIs for developing CL add-inmodules
CDSA in the Context of Other Security Applications
CDSA, shown relative to higher-levelprotocols and user
applications
End User Applications
Higher-LevelSecurity Protocols (PKCS, SSL, S/MIME, IPSEC, SET, et al.)
Common Security Services Manager (CSSM) APIs
Crypotgraphy
Certificate
HP’s Paradigm Shift
Common Security Services Manager (CSSM) API
Common Security Services Manager (CSSM)
API
CSSM Module Information Files
Page
Public/Private Key Algorithms
Symmetric Key Algorithm
Figure 1-6Symmetric Key Algorithm
[1]
RC2 or RC4
[2]
[3]
Page
Cryptography Service Provider (CSP) API
[1]
hash
[2]
[3]
Interaction between CSP and Applications
CSP Operations
Page
Page
Extensibility Functions
Supported Functions and Algorithms
Algorithm IDs, shown with keysize specification in bits:
—CSSM_ALGID_CDMF;
The effective key size of a 64-bitCDMF key is 40 bits
—CSSM_ALGID_RC2; <=40, in any multiple of 8, between 8 and
—CSSM_ALGID_RC4; <=40, in any multiple of 8, between 8 and
•Digital Signature and Validation Algorithm ID:
—CSSM_ALGID_MD5WithRSA
—CSSM_ALGID_SHA1WithRSA
—CSSM_ALGID_SHA1WithDSA
•Parameter Generation Algorithm ID:
Page
What is a Certificate
Certificate Revocation List (CRL) and Operations
Interaction between Certificate Library and Application
Operations on Certificates
Certificate Operations
Certificate Revocation List Operations
Page
output = CSSM_CL_PassThrough(CLHandle, PassThroughID, Input);
INTEL_X509V3_PASSTHROUGH_ENCODE_CERTIFICATE
INTEL_X509V3_PASSTHROUGH_DECODE_CERTIFICATE
INTEL_X509V3_PASSTHROUGH_FREE_CERTIFICATE
INTEL_X509V3_PASSTHROUGH_CREATE_ENCODED_NAME
INTEL_X509V3_PASSTHROUGH_ENCODE_NAME
INTEL_X509V3_PASSTHROUGH_DECODE_NAME
INTEL_X509V3_PASSTHROUGH_FREE_NAME
INTEL_X509V3_PASSTHROUGH_TRANSLATE_DERNAME_TO_STRING
INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSION
INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSIONS
INTEL_X509V3_PASSTHROUGH_DECODE_EXTENSIONS
INTEL_X509V3_PASSTHROUGH_FREE_EXTENSIONS
INTEL_X509V3_PASSTHROUGH_ALGID_TO_ALGOID
INTEL_X509V3_PASSTHROUGH_ALGOID_TO_ALGID
INTEL_X509V3_PASSTHROUGH_DECODE_ALGID
INTEL_X509V3_PASSTHROUGH_FREE_ALGID
INTEL_X509V3_PASSTHROUGH_OPEN_FILE
INTEL_X509V3_PASSTHROUGH_CLOSE_FILE
INTEL_X509V3_PASSTHROUGH_WRITE_CERT_TO_FILE
INTEL_X509V3_PASSTHROUGH_ENCODE_SIGNED_CRL
INTEL_X509V3_PASSTHROUGH_DECODE_SIGNED_CRL
INTEL_X509V3_PASSTHROUGH_FREE_SIGNED_CRL
INTEL_X509V3_PASSTHROUGH_ENCODE_TBS_CERTLIST
INTEL_X509V3_PASSTHROUGH_DECODE_TBS_CERTLIST
INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERTLIST
INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERTLIST
INTEL_X509V3_PASSTHROUGH_ENCODE_REVOKED_CERT_ENTRY
INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERT_ENTRY
INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERT_ENTRY
INTEL_X509V3_PASSTHROUGH_CSSMKEY_TO_SPKI
INTEL_X509V3_PASSTHROUGH_SPKI_TO_CSSMKEY
The Role of Add-InModules in the CDSA Framework
Design Criteria for Add-InModules
Global Unique Identifier (GUID)
Initializer
Code to Register Services with CSSM
Add-InModule Install Program
To Install an Add-InLibrary
How to Create a CDSA Add-InModule for HP-UX
How to Create a CDSA Add-InModule for
HP-UX
Example:
Page
Implementing Integrity Checking in Add-InModules
Programming Self-CheckFunctions into the Initializer
ISL_SelfCheck ISL_SelfCheck does the following:
ISL_SelfCheck
•Retrieves self-checkcredentials from /usr/lib/cdsa/meta-inf
•Verifies the add-inmodule
ISL_RetrieveSelfCheckCredentials
GetModulePath
The credential name has the
form /usr/lib/cdsa/meta-inf/some-add-in.dsa
ISL_RetrieveSelfCheckKey
To make this function, the add-inprovider needs to ask HP to:
•create a DSA public/private key pair for the add-inprovider
•embed the public key in the function whose prototype is shown below
The private key will be used in the signing process to create a credential file
Programming AddInAuthenticate() to Perform Bilateral Authentication
Please contact HP when you have need for these functions
Sample Code Showing Bilateral Authentication in AddInAuthenticate()
Page
Completing the Development of a CSP that Performs Integrity Checking
Page
The Credential File
X.509 Certificate Chain
The Validation Sequence
Integrity Check prior to Loading
.DSA file, containing signer's DSA signature
DSA
Did the
Signer's
.SF file, containing hash of data in .MF file
Are
.MF or .SF file
SHA-1
has been
The Self Check
Bilateral Authentication
In-Memoryvs. Static Checking
Further References
Page
Sample Install Program
Appendix A
Page
Page
Page
Page
Page
Page
Page
Page
Generating the Credential File
HP Signing Policy for CSP Add-InVendors for CDSA Version
HP Signing Policy for CSP Add-InVendors for CDSA Version
C Sample Add-inModule Code
Appendix C
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
D Functions Needed for Add-inModule Integrity
IMPORTANT
E Trouble Shooting HP CDSA
CDSA API Errors
CDSA API Errors
Appendix E
Page
Page
Page
Page
Page
Page
Page
Page
Page
CDSA Start Up Errors when calling CSSM_ModuleAttach
CDSA Start Up Errors when calling
CSSM_ModuleAttach
Page
Debugging Core Dumps
Using DDE to Debug CDSA Applications
Migrating to CDSA
Appendix F
The following CDSA 1.2 data structures may be changed or obsoleted in CDSA 2.0:
CSSM core data structures:
CL data structures:
DL data structures:
CSP data structures:
TP data structures:
G ZIP format
Appendix G
Page
Page
H The Private Key File