Common Data Security Architecture (CDSA) White Paper

Introduction to Add-in Modules

supports. The function tables consist of pointers to the service functions supported by the module and are created dynamically when the module is registered. Whenever the application makes function calls, CSSM uses these function pointers to call the appropriate module service.

When a module is detached, CSSM calls the Terminate function which allows the module to perform any necessary cleanup actions. CSSM calls the module’s EventNotify function to notify the add-in module as part of every attach and detach operation.

Interaction with add-in modules is not limited to CSSM and applications. Modules can use one another to implement their functionality.

For example, a CL module can use the capabilities of a CSP module to perform the cryptographic operations of sign and verify. In that case, the CL could package the certificate or CRL fields to be signed or verified, attach to the appropriate CSP module, and call CSSM_SignData or CSSM_VerifyData to perform the operation. Similarly, other CSSM add-in modules may use the CL module to implement their functionality.

The integrity services of CSSM can be used by CSP add-in modules to verify their own integrity and that of the CSSM. This aids in CSSM’s detection and protection against malicious attacks.

Design Criteria for Add-In Modules

Because a CDSA add-in module must work within the CDSA framework, it must comply with CDSA design criteria.

If the add-in module is a CSP, it must have a set of digital credentials that are verified by CSSM when the module is attached.

The add-in module installation program must create module information files using CSSM_ModuleInstall. The module information files are used for informing CSSM and applications of the module’s identity and capabilities.

The sequence of module initialization and verification steps must occur prior to dynamic binding of the CSP module with CSSM.

Global Unique Identifier (GUID)

Each add-in module is identified by a global unique identifier (GUID). The GUID is needed when the module is created, installed and used by the CSSM, applications, and any module. For example, the GUID is used by:

*the CSSM module information files to expose add-in module availability and capabilities to applications.

Chapter 1

49

Page 49
Image 49
HP UX Security Products and Features Software manual Design Criteria for Add-In Modules, Global Unique Identifier Guid