Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Security Products and Features Software Glossary of CDSA Terms and Acronyms, Glossary of CDSA Terms and Acronyms

1 130

Download 130 pages, 250.55 Kb

Common Data Security Architecture (CDSA) White Paper

Glossary of CDSA Terms and AcronymsGlossary of CDSA Terms and Acronyms

API

Application program interface.

Abstract Syntax Notation One (ASN.1)

A standard means of describing a message that can be sent over a network. Two ISO standards deﬁne ASN.1 syntax (ISO 8824/ITU X.208) and encoding rules (ISO 8825/ITU X.209) for applications using the Open Systems Interconnection (OSI) framework.

Add-in modules

Shared libraries that when attached to the Common Security Services Manager provide cryptography services (these are called CSPs), certiﬁcate library services (CLs), data storage libraries (DLs), and trust policy libraries (TPs).

Certiﬁcate Authority (CA)

A trusted party that creates and issues certiﬁcates (electronic identities) to users and “signs” certiﬁcates with their private key. A Certiﬁcate Authority attests to the legitimacy of the user by the certiﬁcate signing action.

Typically, a CA will require additional proof of identity before signing a user’s certiﬁcate, such as a birth certiﬁcate or driver’s license.

Certiﬁcate Library Services (CL)

A module that performs operations on digital certiﬁcates. Each certiﬁcate library has knowledge of one or more speciﬁc certiﬁcate formats. Certiﬁcate libraries perform the following operations: signing and signature veriﬁcation of certiﬁcates; management of certiﬁcate ﬁelds; export and import of multiple certiﬁcate formats. The HP-UX implementation of CDSA supports X.509v3 certiﬁcates and X.509v2 certiﬁcate revocation lists (CRLs).

Common Data Security Architecture (CDSA)

An open cross-platform, interoperable and extensible software framework consisting of APIs designed to make computers more secure for applications such as electronic commerce, communications, and digital content. CDSA provides an infrastructure for managing the various security-related services embodied in existing security standards.

4

Chapter 1

Contents

Contents 1. Common Data Security Architecture (CDSA) White Paper A.Sample Install Program B.Generating the Credential File C.Sample Add-inModule Code D.Functions Needed for Add-inModule Integrity E.Trouble Shooting HP CDSA Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms Glossary of CDSA Terms and Acronyms Page Page Page Page Page Page HP’s Implementation of CDSA Page CDSA Components in HP-UX Page Use CSSM_CL* APIs for developing applications using the CL shared library Use CL_* APIs for developing CL add-inmodules CDSA in the Context of Other Security Applications CDSA, shown relative to higher-levelprotocols and user applications End User Applications Higher-LevelSecurity Protocols (PKCS, SSL, S/MIME, IPSEC, SET, et al.) Common Security Services Manager (CSSM) APIs Crypotgraphy Certificate HP’s Paradigm Shift Common Security Services Manager (CSSM) API Common Security Services Manager (CSSM) API CSSM Module Information Files Page Public/Private Key Algorithms Symmetric Key Algorithm Figure 1-6Symmetric Key Algorithm [1] RC2 or RC4 [2] [3] Page Cryptography Service Provider (CSP) API [1] hash [2] [3] Interaction between CSP and Applications CSP Operations Page Page Extensibility Functions Supported Functions and Algorithms Algorithm IDs, shown with keysize speciﬁcation in bits: —CSSM_ALGID_CDMF; The effective key size of a 64-bitCDMF key is 40 bits —CSSM_ALGID_RC2; <=40, in any multiple of 8, between 8 and —CSSM_ALGID_RC4; <=40, in any multiple of 8, between 8 and •Digital Signature and Validation Algorithm ID: —CSSM_ALGID_MD5WithRSA —CSSM_ALGID_SHA1WithRSA —CSSM_ALGID_SHA1WithDSA •Parameter Generation Algorithm ID: Page What is a Certiﬁcate Certiﬁcate Revocation List (CRL) and Operations Interaction between Certiﬁcate Library and Application Operations on Certiﬁcates Certiﬁcate Operations Certiﬁcate Revocation List Operations Page output = CSSM_CL_PassThrough(CLHandle, PassThroughID, Input); INTEL_X509V3_PASSTHROUGH_ENCODE_CERTIFICATE INTEL_X509V3_PASSTHROUGH_DECODE_CERTIFICATE INTEL_X509V3_PASSTHROUGH_FREE_CERTIFICATE INTEL_X509V3_PASSTHROUGH_CREATE_ENCODED_NAME INTEL_X509V3_PASSTHROUGH_ENCODE_NAME INTEL_X509V3_PASSTHROUGH_DECODE_NAME INTEL_X509V3_PASSTHROUGH_FREE_NAME INTEL_X509V3_PASSTHROUGH_TRANSLATE_DERNAME_TO_STRING INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSION INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSIONS INTEL_X509V3_PASSTHROUGH_DECODE_EXTENSIONS INTEL_X509V3_PASSTHROUGH_FREE_EXTENSIONS INTEL_X509V3_PASSTHROUGH_ALGID_TO_ALGOID INTEL_X509V3_PASSTHROUGH_ALGOID_TO_ALGID INTEL_X509V3_PASSTHROUGH_DECODE_ALGID INTEL_X509V3_PASSTHROUGH_FREE_ALGID INTEL_X509V3_PASSTHROUGH_OPEN_FILE INTEL_X509V3_PASSTHROUGH_CLOSE_FILE INTEL_X509V3_PASSTHROUGH_WRITE_CERT_TO_FILE INTEL_X509V3_PASSTHROUGH_ENCODE_SIGNED_CRL INTEL_X509V3_PASSTHROUGH_DECODE_SIGNED_CRL INTEL_X509V3_PASSTHROUGH_FREE_SIGNED_CRL INTEL_X509V3_PASSTHROUGH_ENCODE_TBS_CERTLIST INTEL_X509V3_PASSTHROUGH_DECODE_TBS_CERTLIST INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERTLIST INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERTLIST INTEL_X509V3_PASSTHROUGH_ENCODE_REVOKED_CERT_ENTRY INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERT_ENTRY INTEL_X509V3_PASSTHROUGH_FREE_REVOKED_CERT_ENTRY INTEL_X509V3_PASSTHROUGH_CSSMKEY_TO_SPKI INTEL_X509V3_PASSTHROUGH_SPKI_TO_CSSMKEY The Role of Add-InModules in the CDSA Framework Design Criteria for Add-InModules Global Unique Identiﬁer (GUID) Initializer Code to Register Services with CSSM Add-InModule Install Program To Install an Add-InLibrary How to Create a CDSA Add-InModule for HP-UX How to Create a CDSA Add-InModule for HP-UX Example: Page Implementing Integrity Checking in Add-InModules Programming Self-CheckFunctions into the Initializer ISL_SelfCheck ISL_SelfCheck does the following: ISL_SelfCheck •Retrieves self-checkcredentials from /usr/lib/cdsa/meta-inf •Veriﬁes the add-inmodule ISL_RetrieveSelfCheckCredentials GetModulePath The credential name has the form /usr/lib/cdsa/meta-inf/some-add-in.dsa ISL_RetrieveSelfCheckKey To make this function, the add-inprovider needs to ask HP to: •create a DSA public/private key pair for the add-inprovider •embed the public key in the function whose prototype is shown below The private key will be used in the signing process to create a credential ﬁle Programming AddInAuthenticate() to Perform Bilateral Authentication Please contact HP when you have need for these functions Sample Code Showing Bilateral Authentication in AddInAuthenticate() Page Completing the Development of a CSP that Performs Integrity Checking Page The Credential File X.509 Certiﬁcate Chain The Validation Sequence Integrity Check prior to Loading .DSA file, containing signer's DSA signature DSA Did the Signer's .SF file, containing hash of data in .MF file Are .MF or .SF file SHA-1 has been The Self Check Bilateral Authentication In-Memoryvs. Static Checking Further References Page Sample Install Program Appendix A Page Page Page Page Page Page Page Page Generating the Credential File HP Signing Policy for CSP Add-InVendors for CDSA Version HP Signing Policy for CSP Add-InVendors for CDSA Version C Sample Add-inModule Code Appendix C Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page D Functions Needed for Add-inModule Integrity IMPORTANT E Trouble Shooting HP CDSA CDSA API Errors CDSA API Errors Appendix E Page Page Page Page Page Page Page Page Page CDSA Start Up Errors when calling CSSM_ModuleAttach CDSA Start Up Errors when calling CSSM_ModuleAttach Page Debugging Core Dumps Using DDE to Debug CDSA Applications Migrating to CDSA Appendix F The following CDSA 1.2 data structures may be changed or obsoleted in CDSA 2.0: CSSM core data structures: CL data structures: DL data structures: CSP data structures: TP data structures: G ZIP format Appendix G Page Page H The Private Key File