Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Security Products and Features Software CSSM Module Information Files, StringVersion:, BinaryThreadSafe:, BinaryServiceMasks:, BinaryNumberOfServices:, String*Description: CSSM Module

1 130

Download 130 pages, 250.55 Kb

Common Data Security Architecture (CDSA) White Paper

Common Security Services Manager (CSSM) API

operations.

Module veriﬁcation has three aspects:

•veriﬁcation of the module’s identity, based on a digitally-signed certiﬁcate

•veriﬁcation of object code, whose integrity is itself based on a signed hash of the object

•tightly binding the veriﬁed module identity with the veriﬁed set of object code.

CSSM Module Information Files

Each CSSM module (including CSSM itself and add-ins) must be installed on the system before applications can use it. CSSM_ModuleInstall() is the API used to install modules. CSSM_ModuleInstall() creates information ﬁles under the directory /var/cdsa/cssm. The information ﬁle for each module installed is named for its module GUID, in the form “module-guid”.info.

For example, the CSSM core has a module GUID of

{4405ee7c-eeac-11d1-b73d-0060b0b6e655}

Its module-guid.info ﬁle, named

/var/cdsa/cssm/{4405ee7c-eeac-11d1-b73d-0060b0b6e655}.info

contains the following information:

String*Location: /usr/lib/libcssm.1String*Name: Helwett-Packard Common Security Service Managers ModuleString*Version: 1.20String*Vendor: Hewlett-Packard CompanyString*Description: CSSM ModuleBinary*ThreadSafe: 00000000Binary*NumberOfServices: 00000000String*GUID: {4405ee7c-eeac-11d1-b73d-0060b0b6e655}Binary*ServiceMasks: 00000001

If the NumberOfServices is not 0, the directory guid contains information for each service.

CSSM_ModuleUnInstall() is the API to uninstall a module. CSSM_ModuleUnInstall() removes the module information ﬁle from /var/cdsa/cssm. After a module is uninstalled, it becomes unavailable to applications.

For HP-UX, CSSM core, the bundled CSP and the x509v3 CL are preinstalled into the system

Chapter 1

19

Contents

Contents 1. Common Data Security Architecture (CDSA) White Paper A.Sample Install Program B.Generating the Credential File C.Sample Add-inModule Code D.Functions Needed for Add-inModule Integrity E.Trouble Shooting HP CDSA Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms Glossary of CDSA Terms and Acronyms Page Page Page Page Page Page HP’s Implementation of CDSA Page CDSA Components in HP-UX Page Use CSSM_CL* APIs for developing applications using the CL shared library Use CL_* APIs for developing CL add-inmodules CDSA in the Context of Other Security Applications CDSA, shown relative to higher-levelprotocols and user applications End User Applications Higher-LevelSecurity Protocols (PKCS, SSL, S/MIME, IPSEC, SET, et al.) Common Security Services Manager (CSSM) APIs Crypotgraphy Certificate HP’s Paradigm Shift Common Security Services Manager (CSSM) API Common Security Services Manager (CSSM) API CSSM Module Information Files Page Public/Private Key Algorithms Symmetric Key Algorithm Figure 1-6Symmetric Key Algorithm [1] RC2 or RC4 [2] [3] Page Cryptography Service Provider (CSP) API [1] hash [2] [3] Interaction between CSP and Applications CSP Operations Page Page Extensibility Functions Supported Functions and Algorithms Algorithm IDs, shown with keysize speciﬁcation in bits: —CSSM_ALGID_CDMF; The effective key size of a 64-bitCDMF key is 40 bits —CSSM_ALGID_RC2; <=40, in any multiple of 8, between 8 and —CSSM_ALGID_RC4; <=40, in any multiple of 8, between 8 and •Digital Signature and Validation Algorithm ID: —CSSM_ALGID_MD5WithRSA —CSSM_ALGID_SHA1WithRSA —CSSM_ALGID_SHA1WithDSA •Parameter Generation Algorithm ID: Page What is a Certiﬁcate Certiﬁcate Revocation List (CRL) and Operations Interaction between Certiﬁcate Library and Application Operations on Certiﬁcates Certiﬁcate Operations Certiﬁcate Revocation List Operations Page output = CSSM_CL_PassThrough(CLHandle, PassThroughID, Input); INTEL_X509V3_PASSTHROUGH_ENCODE_CERTIFICATE INTEL_X509V3_PASSTHROUGH_DECODE_CERTIFICATE INTEL_X509V3_PASSTHROUGH_FREE_CERTIFICATE INTEL_X509V3_PASSTHROUGH_CREATE_ENCODED_NAME INTEL_X509V3_PASSTHROUGH_ENCODE_NAME INTEL_X509V3_PASSTHROUGH_DECODE_NAME INTEL_X509V3_PASSTHROUGH_FREE_NAME INTEL_X509V3_PASSTHROUGH_TRANSLATE_DERNAME_TO_STRING INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSION INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSIONS INTEL_X509V3_PASSTHROUGH_DECODE_EXTENSIONS INTEL_X509V3_PASSTHROUGH_FREE_EXTENSIONS INTEL_X509V3_PASSTHROUGH_ALGID_TO_ALGOID INTEL_X509V3_PASSTHROUGH_ALGOID_TO_ALGID INTEL_X509V3_PASSTHROUGH_DECODE_ALGID INTEL_X509V3_PASSTHROUGH_FREE_ALGID INTEL_X509V3_PASSTHROUGH_OPEN_FILE INTEL_X509V3_PASSTHROUGH_CLOSE_FILE INTEL_X509V3_PASSTHROUGH_WRITE_CERT_TO_FILE INTEL_X509V3_PASSTHROUGH_ENCODE_SIGNED_CRL INTEL_X509V3_PASSTHROUGH_DECODE_SIGNED_CRL INTEL_X509V3_PASSTHROUGH_FREE_SIGNED_CRL INTEL_X509V3_PASSTHROUGH_ENCODE_TBS_CERTLIST INTEL_X509V3_PASSTHROUGH_DECODE_TBS_CERTLIST INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERTLIST INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERTLIST INTEL_X509V3_PASSTHROUGH_ENCODE_REVOKED_CERT_ENTRY INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERT_ENTRY INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERT_ENTRY INTEL_X509V3_PASSTHROUGH_CSSMKEY_TO_SPKI INTEL_X509V3_PASSTHROUGH_SPKI_TO_CSSMKEY The Role of Add-InModules in the CDSA Framework Design Criteria for Add-InModules Global Unique Identiﬁer (GUID) Initializer Code to Register Services with CSSM Add-InModule Install Program To Install an Add-InLibrary How to Create a CDSA Add-InModule for HP-UX How to Create a CDSA Add-InModule for HP-UX Example: Page Implementing Integrity Checking in Add-InModules Programming Self-CheckFunctions into the Initializer ISL_SelfCheck ISL_SelfCheck does the following: ISL_SelfCheck •Retrieves self-checkcredentials from /usr/lib/cdsa/meta-inf •Veriﬁes the add-inmodule ISL_RetrieveSelfCheckCredentials GetModulePath The credential name has the form /usr/lib/cdsa/meta-inf/some-add-in.dsa ISL_RetrieveSelfCheckKey To make this function, the add-inprovider needs to ask HP to: •create a DSA public/private key pair for the add-inprovider •embed the public key in the function whose prototype is shown below The private key will be used in the signing process to create a credential ﬁle Programming AddInAuthenticate() to Perform Bilateral Authentication Please contact HP when you have need for these functions Sample Code Showing Bilateral Authentication in AddInAuthenticate() Page Completing the Development of a CSP that Performs Integrity Checking Page The Credential File X.509 Certiﬁcate Chain The Validation Sequence Integrity Check prior to Loading .DSA file, containing signer's DSA signature DSA Did the Signer's .SF file, containing hash of data in .MF file Are .MF or .SF file SHA-1 has been The Self Check Bilateral Authentication In-Memoryvs. Static Checking Further References Page Sample Install Program Appendix A Page Page Page Page Page Page Page Page Generating the Credential File HP Signing Policy for CSP Add-InVendors for CDSA Version HP Signing Policy for CSP Add-InVendors for CDSA Version C Sample Add-inModule Code Appendix C Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page D Functions Needed for Add-inModule Integrity IMPORTANT E Trouble Shooting HP CDSA CDSA API Errors CDSA API Errors Appendix E Page Page Page Page Page Page Page Page Page CDSA Start Up Errors when calling CSSM_ModuleAttach CDSA Start Up Errors when calling CSSM_ModuleAttach Page Debugging Core Dumps Using DDE to Debug CDSA Applications Migrating to CDSA Appendix F The following CDSA 1.2 data structures may be changed or obsoleted in CDSA 2.0: CSSM core data structures: CL data structures: DL data structures: CSP data structures: TP data structures: G ZIP format Appendix G Page Page H The Private Key File