Common Data Security Architecture (CDSA) White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

Contents

1. Common Data Security Architecture (CDSA) White Paper

Glossary of CDSA Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . .4

What Is CDSA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

HP’s Implementation of CDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

CDSA Components in HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

CDSA in the Context of Other Security Applications . . . . . . . . . . . . .15

HP’s Paradigm Shift. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Common Security Services Manager (CSSM) API . . . . . . . . . . . . . . . . .18

CSSM Module Information Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Cryptography Service Provider (CSP) API. . . . . . . . . . . . . . . . . . . . . . . .21

Public/Private Key Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Interaction between CSP and Applications . . . . . . . . . . . . . . . . . . . . .26

CSP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Certiﬁcate Library Services (CL) API . . . . . . . . . . . . . . . . . . . . . . . . . . .34

What is a Certiﬁcate?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Operations on Certiﬁcates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Introduction to Add-in Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

The Role of Add-In Modules in the CDSA Framework . . . . . . . . . . . .48

Design Criteria for Add-In Modules . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Global Unique Identiﬁer (GUID). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Initializer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Code to Register Services with CSSM . . . . . . . . . . . . . . . . . . . . . . . . .51

Add-In Module Install Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

How to Create a CDSA Add-In Module for HP-UX . . . . . . . . . . . . . . . .53

Implementing Integrity Checking in Add-In Modules. . . . . . . . . . . . .55

ProgrammingAddInAuthenticate()toPerformBilateralAuthentication

CompletingtheDevelopmentofa CSPthatPerformsIntegrityChecking

Summary of content (130 pages)

PAGE 1
Contents 1. Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . .4 What Is CDSA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 HP’s Implementation of CDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 CDSA Components in HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 CDSA in the Context of Other Security Applications . . . . . . . . .
PAGE 2
Contents Validating the CSP Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Credential File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X.509 Certificate Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Validation Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integrity Check prior to Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Self Check. . . . . . .
PAGE 3
Common Data Security Architecture (CDSA) White Paper 1 Common Data Security Architecture (CDSA) White Paper This document describes the Common Data Security Architecture (CDSA), which, as of June 1999, is available on the HP-UX 11.0 Application CD. In the future, it will be available as part of the HP-UX core.
PAGE 4
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms Glossary of CDSA Terms and Acronyms API Application program interface. Abstract Syntax Notation One (ASN.1) A standard means of describing a message that can be sent over a network. Two ISO standards define ASN.1 syntax (ISO 8824/ITU X.208) and encoding rules (ISO 8825/ITU X.209) for applications using the Open Systems Interconnection (OSI) framework.
PAGE 5
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms Common Security Services Manager (CSSM) A central, extensible infrastructure that defines APIs for access to cryptography, certificate, trust, or storage services. Cryptography Service Provider (CSP) A CSP (whether software and/or hardware-based) provides data encryption/decryption, digital signatures, cryptographic hashing, key generation, random-number generation services.
PAGE 6
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms OID/value pair An abstract identifer representing a data type and the corresponding value of that data type. Optimal Asymmetric Encryption Padding (OAEP) A method of encoding a message with a masked random number, then encrypting it. Open Group A software standards organization sponsored by major software vendors to develop and foster industry standards for software interfaces.
PAGE 7
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms Secure Electronic Transactions (SET) A standard to enable online credit card transactions, using public-key encryption and digital signature validation. Secure Multipurpose Internet Mail Extensions (S/MIME) A secure protocol for sending e-mail using RSA encryption and following the syntax provided in the PKCS format #7. Secure Sockets Layer (SSL) A protocol created by Netscape Communications, Inc.
PAGE 8
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms bulk encryption Technique used to disguise a large amount of data using symmetric key algorithms that are relatively “inexpensive” computationally. bundled modules HP’s implementation of CDSA includes CSSM, CSP, and CL bundled modules. No DL or TP module is included in the first release of CDSA. certificate revocation list (CRL) A list of certificates that have been revoked or suspended.
PAGE 9
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms Decryption is the conversion of encrypted data into its original, comprehensible form. data integrity The assurance that information has not been altered since it was originally generated. key A piece of data that is used with an algorithm to encrypt and decrypt information. key wrapping/unwrapping Encryption/decryption of a key. The key can be a symmetric key or private key of a public/private key pair.
PAGE 10
Common Data Security Architecture (CDSA) White Paper Glossary of CDSA Terms and Acronyms root of trust The concept that a single authority may propagate trust by signing an entity’s identity certificate. salt Random bytes that are usually mixed with other bytes to form a key or password. secure hash algorithms (SHA-1 and its predecessor SHA) Algorithms specified in the Secure Hash Standard (SHS, FIBS PUB 180) and developed by the National Institute of Standards and Technology (NIST).
PAGE 11
Common Data Security Architecture (CDSA) White Paper What Is CDSA? What Is CDSA? The Common Security Architecture (CDSA) is a set of application program interfaces (APIs) to perform cryptography and other public key infrastructure operations. Additional shared libraries implement the API functionality. The Cryptographic Service Provider (CSP) module implements most popular cryptographic algorithms. The Certificate Library (CL) module implements X.509v3 certificate operations.
PAGE 12
Common Data Security Architecture (CDSA) White Paper What Is CDSA? be available as part of the HP-UX core. The CDSA product contains all CDSA components, which can be found in the following directories and files (remember that as of June 1999, you will have to install the HP-UX 11.0 Application CD for these directories and files to be on your system): /usr/lib/libcssm.1 & libcssm.sl CSSM framework library /usr/lib/cdsa/libx509v3.1 CL library /usr/lib/cdsa/meta-inf/libcssm.
PAGE 13
Common Data Security Architecture (CDSA) White Paper What Is CDSA? Figure 1-2 CDSA Components on HP-UX Common Security Services Manager (CSSM) APIs Crypotgraphy Services Manager and Interface Certificate Library Manager and Interface Cryptography Services Provider (CSP) Certificate Library (CL) Data Storage Library Manager and Interface Data Storage Library (DL) Trust Policy Manager and Interface Trust Policy Library (TP) CDSA Components in HP-UX Each component of the HP-UX CDSA infrastructure provi
PAGE 14
Common Data Security Architecture (CDSA) White Paper What Is CDSA? • Pass-through capabilities to import/export RSA and DSA keys The Certificate Library (CL) API performs memory-based, syntactic manipulations on X.509v3 certificates and certificate revocation lists.
PAGE 15
Common Data Security Architecture (CDSA) White Paper What Is CDSA? Figure 1-3 Example of CDSA APIs Used for Applications vs.
PAGE 16
Common Data Security Architecture (CDSA) White Paper What Is CDSA? Figure 1-4 CDSA, shown relative to higher-level protocols and user applications End User Applications Higher-Level Security Protocols (PKCS, SSL, S/MIME, IPSEC, SET, et al.
PAGE 17
Common Data Security Architecture (CDSA) White Paper What Is CDSA? promote interoperability. The syntax for expressing PKCS definitions are based on the Abstract Syntax Notation One (ASN.1), which is defined in two ISO standards that describe data syntax and encoding.
PAGE 18
Common Data Security Architecture (CDSA) White Paper Common Security Services Manager (CSSM) API Common Security Services Manager (CSSM) API The Common Security Services Manager (CSSM) provides the general-purpose core services of the CDSA and operates on behalf of its libraries and add-in modules, such as the cryptographic service provider (CSP) or certificate library (CL).
PAGE 19
Common Data Security Architecture (CDSA) White Paper Common Security Services Manager (CSSM) API operations. Module verification has three aspects: • verification of the module’s identity, based on a digitally-signed certificate • verification of object code, whose integrity is itself based on a signed hash of the object • tightly binding the verified module identity with the verified set of object code.
PAGE 20
Common Data Security Architecture (CDSA) White Paper Common Security Services Manager (CSSM) API and are available to applications without further operations required. They should remain on the system and not be removed. NOTE CDSA requires the /var file system to support long file names (greater than 14 characters). CSSM and the bundled add-ins will not be pre-installed if its /var supports only short file names. In this case, CSSM_ModuleInstall() will return the error code CSSM_NOT_LONG_FILE_NAME_SYS.
PAGE 21
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Cryptography Service Provider (CSP) API The algorithms of the cryptography service provider (CSP) APIs provide the means to : • Disguise data, so that it is unreadable in encrypted form. • Ensure data integrity, to make sure it has not changed in transport. • Uniquely identify the sender of received data. The CSP is an add-in module to the CSSM.
PAGE 22
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Figure 1-5 Dual Asymmetric Key Algorithm [1]. A: B B A’s data B’s public key A’s encrypted data [2] B: B B’s private key A’s encrypted data A’s data Symmetric Key Algorithm Because asymmetric key algorithms are very expensive computationally, symmetric key algorithms (which use the same one key to encrypt and decrypt) are used to bulk-encrypt the data.
PAGE 23
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Figure 1-6 Symmetric Key Algorithm [1] A: RC2 or RC4 symmetric key algorithm symmetric key [2] A: A’s data symmetric key A’s encrypted data symmetric key encrypted symmetric key B B B’s public key [3] B: B B’s private key encrypted symmetric key symmetric key A’s encrypted data symmetric key [4] B: A’s data Authenticating a Digital Signature When B receives the data, B can be certain only of having
PAGE 24
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API unique set of bits corresponding to the data. Typically generated hashes are very small (e.g. 20 bytes). [2] A encrypts the hash using A’s private key to create A’s “digital signature.” [3] A passes the digital signature, encrypted symmetric key, and bulk-encrypted data to B. [4] B uses B’s private key to decrypt the encrypted symmetric key. [5] B uses the symmetric key to decrypt A’s bulk-encrypted data.
PAGE 25
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Figure 1-7 Authenticating a Digital Signature [1] A: hash A’s data A’s hash of A’s data [2] A: A A’s hash of A’s data A’s private key A’s digital signature [3] A: B A’s digital signature, encrypted symmetric key, A’s encrypted data [4] B: B B’s private key encrypted symmetric key symmetric key [5] B: A’s encrypted data symmetric key A’s data [6] B: hash A’s data B’s hash of A’s data [7] A B: A
PAGE 26
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Interaction between CSP and Applications The application selects a CSP and requests CSSM to attach to it. The CSSM returns a CSP handle to the application that uniquely identifies the pairing of the application thread to the CSP module instance. This handle is used by the application to identify the CSP in the future.
PAGE 27
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API by the operating system. CSP Operations CSP_SignData () CSP_SignDataInit () CSP_SignDataUpdate () CSP_SignDataFinal () Each operation accepts as input a handle to a cryptographic context describing the sign operation and the data on which to operate. The result of the completed sign operation is returned in a CSSM_DATA structure.
PAGE 28
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API CSP_GenerateMacFinal () Each operation accepts as input a handle to a cryptographic context describing the MAC operation and the data on which to operate. The result of the completed MAC operation is returned in a CSSM_DATA structure.
PAGE 29
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API CSP_GenerateKeyPair () Accepts as input a handle to a cryptographic context describing the generate key operation and attributes of each key in the new key pair. The keys are returned in CSSM_KEY structures. CSP_GenerateRandom () Accepts as input a handle to a cryptographic context describing the generate random operation. The random data is returned in a CSSM_DATA structure.
PAGE 30
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Accepts as input a login password and logs the user into the CSP. CSPs are not required to support a login model. If a login model is supported, the CSP may request additional passwords at any time during the period of service. The HP-UX bundled CSP supports logins. CSP_Logout () The caller is logged out of the current login session with the designated CSP.
PAGE 31
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Algorithm IDs, shown with keysize specification in bits: — CSSM_ALGID_CDMF; 64 The effective key size of a 64-bit CDMF key is 40 bits.
PAGE 32
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API • Digital Signature and Validation Algorithm ID: — CSSM_ALGID_MD5WithRSA — CSSM_ALGID_SHA1WithRSA — CSSM_ALGID_SHA1WithDSA • Parameter Generation Algorithm ID: — CSSM_ALGID_DSA — CSSM_ALGID_DH • Key Wrapping and Unwrapping Algorithm ID, shown with keysize specification in bits: — CSSM_ALGID_RSA; 512 — CSSM_ALGID_CDMF; 64 — CSSM_ALGID_RC2; <=40 — CSSM_ALGID_RC4; <=40 • Key Derivation Algorithm ID, shown with supporte
PAGE 33
Common Data Security Architecture (CDSA) White Paper Cryptography Service Provider (CSP) API Purpose Pass-Through ID Decode BER-encoded CSSM RSA and DSA keys ISC_CSP_DECODE_DSA_PUBKEY ISC_CSP_DECODE_DSA_PRIKEY ISC_CSP_DECODE_RSA_PUBKEY ISC_CSP_DECODE_RSA_PRIKEY Delete a private key ISC_CSP_DELETE_PRVKEY Reverse the order of octets in a symmetric CSSM key ISC_CSP_REVERSE_KEY Create a DSA or RSA CSSM private key using raw application-supplied data ISC_CSP_IMPORT_KEY BER-encode DSA parameters ISC_C
PAGE 34
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Certificate Library Services (CL) API What is a Certificate? A certificate is a mechanism for establishing identity. Think of an X.509 certificate as a packet that can be given safely to others. X.509 derives from a data storage concept for directory services, called X.500, a mechanism that allows individuals to access others’ data.
PAGE 35
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Certificates may have various classifications, and increasingly, developers are wanting to include more information in a certificate. The CL module bundled as part of CDSA allows you to create extensions, which can contain additional data. Each field of a certificate format consists of a tag/value pair.
PAGE 36
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API • Serial number of the revoked certificate • Date on which the revocation occurred • Number of extensions • Pointers to extensions, if present The certificate library manages the translation from the certificate to be revoked to its representation in the CRL. The contents of the CRL can be queried for its revocation records, certificates, or individual CRL fields.
PAGE 37
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API CL_PassThrough function in the CL. The CL interprets the input parameters to enable the appropriate operation to be performed. NOTE Certificate and CRL operations initiated by an application are performed with APIs whose names have the form CSSM_CL_*(). Other interfaces, whose names have the form CL_*() are intended for use by add-on module developers only, for operations between the CSSM and the CL module.
PAGE 38
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API The CL functions are accessible to the CSSM at attach time, when the CSSM receives the certificate library’s function table. In the function table, any unsupported function has a NULL function pointer. Certificate operations fall into three general areas: Cryptographic Operations, wherein a certificate is signed and its signature verified.
PAGE 39
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Returns the first field in the certificate matching the input OID. If the certificate contains more than one instance of the requested OID, the CL returns a handle used for obtaining and tallying the additional instances of the OID in the certificate. The application obtains the additional matching instances by repeated calls to CL_CertGetNextFieldValue.
PAGE 40
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Revokes the input certificate by adding a record of the certificate to the CRL. The CRL entry consists of OID/values provided by the application. The new record is signed using the revoker’s certificate and the updated CRL is returned to the calling application. The CL defines which fields must or cannot be set using this function. This operation is valid only if the CRL has not been signed.
PAGE 41
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Extensibility Functions CL_PassThrough ( ) Performs a function indicated by an operation ID, which identifies an operation exported by CL for use by an application or other module. These operations are specific to the data format of the certificates and CRLs manipulated by the CL module. The HPUX bundled CL supports the following pass-through functions. Each pass-through ID defined in cdsa/x509defs.
PAGE 42
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Function Create a DER-encoded X.
PAGE 43
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API INTEL_X509V3_PASSTHROUGH_ENCODE_EXTENSIONS Function Encode an array of certificate extensions Input Pointer to an array. The first element points to another array containing extensions in the format of X509_EXTENSION. The second element is the total number of extensions.
PAGE 44
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Function Encode algorithm identifier Input Pointer to an algorithm identifier in the format of X509_ALGORITHM_IDENTIFIER Output Pointer to encoded algorithm identifier in the format of CSSM_DATA INTEL_X509V3_PASSTHROUGH_DECODE_ALGID Function Decode algorithm identifier Input Pointer to encoded algorithm identifier in the format of CSSM_DATA Output Pointer to an algorithm identifier in the format of X509_ALG
PAGE 45
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Function Read certificate from a file Input File pointer Output Pointer to encoded certificate in the format of CSSM_DATA INTEL_X509V3_PASSTHROUGH_ENCODE_SIGNED_CRL Function Encode a signed CRL Input Pointer to the signed CRL in the format of X509_SIGNED_CRL Output Pointer to an encoded, signed CRL in the format of CSSM_DATA INTEL_X509V3_PASSTHROUGH_DECODE_SIGNED_CRL Function Decode a signed CRL Input P
PAGE 46
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Function Encode the certificate list Input Pointer to the certificate list in the format of X509_REVOKED_CERT_LIST Output Pointer to the encoded certificate list in the format of CSSM_DATA INTEL_X509V3_PASSTHROUGH_DECODE_REVOKED_CERTLIST Function Decode the certificate list Input Pointer to the encoded certificate list in the format of CSSM_DATA Output Pointer to the certificate list in the format of X509_R
PAGE 47
Common Data Security Architecture (CDSA) White Paper Certificate Library Services (CL) API Function Find which CSP supports an input cryptographic algorithm Input Pointer to an algorithm ID defined in cdsa/cssm.
PAGE 48
Common Data Security Architecture (CDSA) White Paper Introduction to Add-in Modules Introduction to Add-in Modules NOTE This section provides a conceptual overview of CDSA add-in modules. For a summary of how to create an add-in module, see “How to Create a CDSA Add-In Module for HP-UX” on page 53. For information on credentials required for any CSP add-in module, see “Validating the CSP Credentials” on page 65 and “HP Signing Policy for CSP Add-In Vendors for CDSA Version 1.2” on page 84.
PAGE 49
Common Data Security Architecture (CDSA) White Paper Introduction to Add-in Modules supports. The function tables consist of pointers to the service functions supported by the module and are created dynamically when the module is registered. Whenever the application makes function calls, CSSM uses these function pointers to call the appropriate module service. When a module is detached, CSSM calls the Terminate function which allows the module to perform any necessary cleanup actions.
PAGE 50
Common Data Security Architecture (CDSA) White Paper Introduction to Add-in Modules * a module to identify itself when it sets an error. * an application, to identify the requested module when attaching an add-in module. For each bundled module, HP provides a GUID in /var/cdsa/cssm. Existing GUIDs and their associated shared libraries are also specified in cdsa/hpguids.h. Here is a sample GUID: String*Location: String*Name: /usr/lib/libcsp.1 CDSA Adaptation Layer CSP for the CSP Toolkit from Co.
PAGE 51
Common Data Security Architecture (CDSA) White Paper Introduction to Add-in Modules • If self-checking is required, the initialization function calls the ISL_SelfCheck function. For a sample initialization routine, see “How to Create a CDSA Add-In Module for HP-UX” on page 53. For detailed information about CSP self-checks, see “Programming Self-Check Functions into the Initializer” on page 56.
PAGE 52
Common Data Security Architecture (CDSA) White Paper Introduction to Add-in Modules To Install an Add-In Library The install operation expects the add-in library to be installed in the same directory. • Copy your library into the same directory, then execute the program, or • Modify the code to read it from a different directory. To uninstall an add-in library, pass in the -u option. Link the install program source code with /usr/lib/libcssm.
PAGE 53
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX How to Create a CDSA Add-In Module for HP-UX This section summarizes the steps involved in creating a CDSA add-in module. By convention, the CDSA add-in module is named libxxx.1 for the first version of the library, where xxx is the library’s chosen name. If /usr/lib file system supports only short file names, limit the library name to 14 characters. The add-in libraries must reside in /usr/lib/cdsa. 1.
PAGE 54
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX For further conceptual information about GUIDs, see “Global Unique Identifier (GUID)” on page 49. 2. Define an initializer for each add-in module. The initialization routine is invoked by the system loader immediately after the shared library loads successfully. It is also invoked right before the library is unloaded.
PAGE 55
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX simpler. For detailed information on coding the initialization program to perform self-checks, see “Programming Self-Check Functions into the Initializer” on page 56. For more conceptual information about initialization, see “Initializer” on page 50. 3. Register services to CSSM by calling AddInAuthenticate().
PAGE 56
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX Programming Self-Check Functions into the Initializer As soon as a CSP shared library is loaded into computer memory, it should cause one of its own functions to execute to perform self-checks. The initialization function should call the ISL_SelfCheck function. (When self checking is not desired, these initialization functions become null functions.
PAGE 57
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX These functions use another function, GetModulePath (whose source is also shown for convenience). All these functions (except ISL_RetrieveSelfCheckKey) are typically put in a file named callouts.c. After callouts.c is compiled, the objects should be placed in the add-in shared library. The ISL_RetrieveSelfCheckKey function is typically placed in a file called public.c.
PAGE 58
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX GetModulePath Returns the path to the add-in shared library. Since all add-ins are placed in /usr/lib/cdsa; szPath has the form /usr/lib/cdsa/libadd_in_name.1 uint32 GetModulePath(char *szPath, uint32 len) { strcpy(szPath,”/usr/lib/cdsa/libadd_in_name.1”); len = strlen(szPath); return len; } ISL_RetrieveSelfCheckSectionName The credential name has the form /usr/lib/cdsa/meta-inf/some-add-in.
PAGE 59
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX /* k points to behind the meta-inf, the 2nd to last ‘/’ */ /* Now change the extension to .
PAGE 60
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX long len = ; if (!Name || (len > Name->length)) return; Name->length = len; memcpy(Name->value, Key, Name->length); return; } Programming AddInAuthenticate() to Perform Bilateral Authentication If the Self check is successful, control is returned to the CSSM manager, which will call the add-in’s AddInAutheticate function. Ironically, the name implies that authentication is going on.
PAGE 61
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX add-in module’s public.c file. Compile and place the objects in the add-in shared library. Please contact HP when you have need for these functions. Sample Code Showing Bilateral Authentication in AddInAuthenticate() Here is an example of typical code that might be added to an AddInAuthenticate function to accomplish bilateral authentication: . . .
PAGE 62
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX return CSSM_FAIL; /* Call function */ ((RETRV)tmp)((ISL_CALLOUT_DATA *)&key); tmp = NULL; if ((i = shl_findsym( (shl_t *)&pImage, “ISL_RetrieveRootIssuerName”, TYPE_PROCEDURE, (void *)&tmp ) ) != 0 ) return CSSM_FAIL; /* Call function */ ((RETRV)tmp)((ISL_CALLOUT_DATA *)&signer); VerifiedCSSMModulePtr = ISL_VerifyLoadedModuleAndCredentials( ConstPathData, ConstSectionData, signer, key); if(VerifiedCSSMModul
PAGE 63
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX VerifiedCSSMModulePtr = NULL; return CSSM_FAIL; } . . . Completing the Development of a CSP that Performs Integrity Checking 1. Test your add-in module, using a CSSM manager running in non-authentication mode. (Such a CSSM manager can be obtained from Hewlett-Packard with a special license agreement.) 2.
PAGE 64
Common Data Security Architecture (CDSA) White Paper How to Create a CDSA Add-In Module for HP-UX with a CSSM capable of integrity checking.
PAGE 65
Common Data Security Architecture (CDSA) White Paper Validating the CSP Credentials Validating the CSP Credentials Before a CSP add-in module can be loaded by CSSM, CDSA must ensure that the module has not been tampered with. This is done by performing a series of verifications on the shared library. Every CSP add-in module has a corresponding credential file that contains a digitally signed hash of the CSP shared library.
PAGE 66
Common Data Security Architecture (CDSA) White Paper Validating the CSP Credentials Certificate 2’s public key, and so on.
PAGE 67
Common Data Security Architecture (CDSA) White Paper Validating the CSP Credentials Integrity Check prior to Loading The integrity check performed on the CSP prior to loading ensures that the add-in shared library has not been tampered with before it is loaded. The CSSM performs this check before loading any CSP add-in module. 1. First, the signature on the signed .SF file is validated. To accomplish this, the CSSM uses the certificate chain of X.509 certificates embedded in the credential file. 2.
PAGE 68
Common Data Security Architecture (CDSA) White Paper Validating the CSP Credentials Figure 1-10 Verifying the authenticity of data in the .MF file .SF file, containing hash of data in .MF file .MF file, containing hash of shared library and library name SHA-1 HASH function Are SHA-1 hashes equal? No .MF or .SF file has been tampered with. STOP! Yes Proceed to verify hash of shared library 4. If these hashes match, a hash of the shared library to be loaded is calculated.
PAGE 69
Common Data Security Architecture (CDSA) White Paper Validating the CSP Credentials Figure 1-11 Verifying the validity of the CSP library .MF file, containing hash of shared library and library name CSP file SHA-1 HASH function Are SHA-1 hashes equal? No .CSP shared library has been tampered with. STOP! Yes CSP shared library is valid 5. If the values match, the shared library is loaded. If the hashes do not match, CDSA execution will terminate.
PAGE 70
Common Data Security Architecture (CDSA) White Paper Validating the CSP Credentials Bilateral Authentication In the final set of integrity checks, known as bilateral authentication, the CSP add-in module checks the integrity of the CSSM manager that requested the CSP’s loading to ensure the CSSM has not been tampered with. 1.
PAGE 71
Common Data Security Architecture (CDSA) White Paper Concluding Remarks Concluding Remarks CDSA is a powerful, flexible modular infrastructre for safeguarding information. However, as with all things powerful, CDSA requires extensive knowledge to take full advantage of its capabilities. Currently, application developers may need expertise in both cryptography and the details of Internet security protocols (SSL, S/MIME, etc).
PAGE 72
Common Data Security Architecture (CDSA) White Paper Concluding Remarks 72 Chapter 1
PAGE 73
Sample Install Program A Sample Install Program Copyright (C) 1998 The Hewlett Packard Corporation. All rights reserved. This file is used as an example of how to write an application program that installs or uninstalls a CDSA add-in module. Hewlett Packard Company (“HP”) grants you a non-exclusive, royalty-free license to use, copy, modify and distribute this source file solely for the purpose of developing application programs that utilize HP CDSA. This source file is licensed “as is.
PAGE 74
Sample Install Program /* OS-specific includes */ #include #include #include #include #include #define PATH_LEN 256 #define DL_LIB “libdummydl.1” #define DEST_PATH “/usr/lib/cdsa” #define TARGET_NAME “/usr/lib/cdsa/libdummydl.
PAGE 75
Sample Install Program void* ex_realloc(void *block,uint32 size,void *ref) { return realloc(block,size); } void* ex_calloc(uint32 count,uint32 size,void *ref) { return calloc(count,size); } CSSM_RETURN uninstall_addin(int cleanup); #else void* ex_malloc(size, ref) uint32 size; void *ref; { return malloc(size); } void ex_free(block, ref) void *block; void *ref; { free(block); } void* ex_realloc(block, size, ref) void *block;uint32 size;void *ref; { return realloc(block,size); } void* ex_calloc(count,si
PAGE 76
Sample Install Program { return calloc(count,size); } CSSM_RETURN uninstall_addin(); #endif CSSM_API_MEMORY_FUNCS DBMemoryFunctions = { ex_malloc, ex_free, ex_realloc, ex_calloc }; void main(argc, argv) int argc; char* argv[]; { CSSM_VERSION cssm_version; CSSM_VERSION dl_version; CSSM_VERSION ex_version; CSSM_VERSION access_version; CSSM_DL_WRAPPEDPRODUCT_INFO access_desc; CSSM_DLSUBSERVICE sub_service; CSSM_SERVICE_INFO service_info; CSSM_MODULE_INFO module_info; CSSM_ERROR_PTR error_ptr
PAGE 77
Sample Install Program exit (1); } /* variable initialization */ cssm_version.Major = CSSM_MAJOR; cssm_version.Minor = CSSM_MINOR; dl_version.Major = DUMMY_DL_MAJOR_VER; dl_version.Minor = DUMMY_DL_MINOR_VER; ex_version.Major = 1; ex_version.Minor = 2; access_version.Major = 2; access_version.
PAGE 78
Sample Install Program } else if (argc != 1) { printf(“Usage: dummy_install [-u]\n”); printf(“ -u: uninstall the add-in\n”); exit (1); } /* Fill the Access product info */ access_desc.StandardVersion = dl_version; strcpy(access_desc.StandardDescription, “DUMMY”); access_desc.ProductVersion = access_version; strcpy(access_desc.ProductDescription, “Dummy”); strcpy(access_desc.ProductVendor, “HP”); access_desc.ProductFlags = 0; /* fill sub-service information */ sub_service.
PAGE 79
Sample Install Program /* fill service information */ strcpy(service_info.Description, “Dummy DL Module”); service_info.Type = CSSM_SERVICE_DL; service_info.Flags = 0; service_info.NumberOfSubServices = 1; service_info.SUBSVR.DlSubServiceList = &sub_service; service_info.Reserved = NULL; /* fill module information */ module_info.Version = dl_version; module_info.CompatibleCSSMVersion = cssm_version; strcpy(module_info.Description, “HP Dummy DL Module”); strcpy(module_info.
PAGE 80
Sample Install Program if (error_ptr->error == CSSM_GUID_BEEN_INSTALLED) printf(“The add-in/GUID has been installed arleady.\n”); else { printf(“Failed at CSSM_ModuleInstall, error = %d\n”, error_ptr->error); printf(“Check for the error.
PAGE 81
Sample Install Program int cleanup; { CSSM_ERROR_PTR error_ptr; if (CSSM_ModuleUninstall(&my_addin_guid) != CSSM_OK) { if (!cleanup) { error_ptr = CSSM_GetError(); if (error_ptr->error == CSSM_GUID_NOT_INSTALLED) printf(“This add-in/GUID has not been installed yet.\n”); else { printf(“Failed to uninstall the add-in library, error = %d\n”, error_ptr->error); printf(“Check for the error.
PAGE 82
Sample Install Program 82 Appendix A
PAGE 83
Generating the Credential File B Generating the Credential File Every CSP module requires a credential file that which must be generated using a secure software program, called signdll, before the CSP can be accessed by applications using the CDSA framework. signdll is not distributed to customers, but is retained by HP “in-house.
PAGE 84
Generating the Credential File HP Signing Policy for CSP Add-In Vendors for CDSA Version 1.2 HP Signing Policy for CSP Add-In Vendors for CDSA Version 1.2 1. The vendor, whether a company incorporated in the United States or not, is responsible for obtaining a license from the Intel Corporation to gain access to the CDSA Software. 2.
PAGE 85
Sample Add-in Module Code C Sample Add-in Module Code Copyright (C) 1998 The Hewlett Packard Corporation. All rights reserved. This file is used as an example of how to write an add-in service module for the Hewlett Packard Common Data Security Architecture (HP CDSA). This file just shows you the framework of creating a Data Storage Library (DL) and doesn’t perform any real operations. This framework can also be used to create a Certificate Library (CL) or Trust Policy Library (TP).
PAGE 86
Sample Add-in Module Code #endif #if defined(__STDC__) || defined(__cplusplus) CSSM_DB_HANDLE DL_DbOpen ( CSSM_DL_HANDLE DLHandle, const char *DbName, const CSSM_DB_ACCESS_TYPE_PTR AccessRequest, const CSSM_USER_AUTHENTICATION_PTR UserAuthentication, const void *OpenParameters); CSSM_RETURN DL_DbClose (CSSM_DL_DB_HANDLE DLDBHandle); CSSM_DB_HANDLE DL_DbCreate ( CSSM_DL_HANDLE DLHandle, const char *DbName, const CSSM_DBINFO_PTR DbInfo, const CSSM_DB_ACCESS_TYPE_PTR AccessRequest, const CSSM_USER_AUTHENT
PAGE 87
Sample Add-in Module Code CSSM_DL_DB_HANDLE DLDBHandle, const CSSM_DB_RECORDTYPE RecordType, const CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes, const CSSM_DATA_PTR Data); CSSM_RETURN DL_DataDelete ( CSSM_DL_DB_HANDLE DLDBHandle, CSSM_DB_RECORDTYPE RecordType, const CSSM_DB_UNIQUE_RECORD_PTR UniqueRecordIdentifier); CSSM_DB_UNIQUE_RECORD_PTR DL_DataGetFirst ( CSSM_DL_DB_HANDLE DLDBHandle, const CSSM_QUERY_PTR Query, CSSM_HANDLE_PTR CSSM_BOOL ResultsHandle, *EndOfDataStore, CSSM_DB_RECORD_ATTRIBUTE_DAT
PAGE 88
Sample Add-in Module Code CSSM_DL_DB_HANDLE DLDBHandle, CSSM_HANDLE ResultsHandle); CSSM_RETURN DL_Initialize ( CSSM_MODULE_HANDLE AppHandle, uint32 VerMajor, uint32 VerMinor); CSSM_RETURN DL_Uninitialize ( CSSM_MODULE_HANDLE AppHandle); CSSM_RETURN DL_Authenticate (CSSM_DL_DB_HANDLE DLDBHandle, const CSSM_DB_ACCESS_TYPE_PTR AccessRequest, const CSSM_USER_AUTHENTICATION_PTR UserAuthentication); CSSM_RETURN DL_DbImport (CSSM_DL_HANDLE DLDBHandle, const char *DbDestinationName, const char *DbSourceName,
PAGE 89
Sample Add-in Module Code CSSM_DB_RECORDTYPE RecordType, const CSSM_DB_RECORD_PARSING_FNTABLE_PTR FunctionTable); CSSM_DB_RECORD_PARSING_FNTABLE_PTR DL_DbGetRecordParsingFunctions (CSSM_DL_HANDLE DLHandle, const char* DbName, CSSM_DB_RECORDTYPE RecordType); void * DL_PassThrough (CSSM_DL_DB_HANDLE DLHandle, uint32 PassThroughId, const void * InputParams); /* CSSM Wrapper functions */ CSSM_RETURN dl_RegisterServices (); CSSM_RETURN dl_DeregisterServices (); CSSM_RETURN dl_SetError (uint32 error); void _
PAGE 90
Sample Add-in Module Code CSSM_DB_UNIQUE_RECORD_PTR DL_DataGetFirst (); CSSM_DB_UNIQUE_RECORD_PTR DL_DataGetNext (); CSSM_RETURN DL_FreeUniqueRecord (); CSSM_RETURN DL_DataAbortQuery (); CSSM_RETURN DL_Initialize (); CSSM_RETURN DL_Uninitialize (); CSSM_RETURN DL_Authenticate (); CSSM_RETURN DL_DbImport (); CSSM_RETURN DL_DbExport (); CSSM_RETURN DL_DbSetRecordParsingFunctions (); CSSM_DB_RECORD_PARSING_FNTABLE_PTR DL_DbGetRecordParsingFunctions (); void * DL_PassThrough (); /* CSSM Wrapper functions */ CS
PAGE 91
Sample Add-in Module Code typedef void * FUNC_PTR; #if defined(__STDC__) || defined(__cplusplus) typedef CSSM_RETURN (*REGISTER_FUNC_PTR) ( const CSSM_GUID_PTR GUID, const CSSM_REGISTRATION_INFO_PTR FunctionTable, CSSM_SPI_MEMORY_FUNCS_PTR UpcallTable, void *Reserved); typedef CSSM_RETURN (*DE_REGISTER_FUNC_PTR) (const CSSM_GUID_PTR GUID); typedef CSSM_RETURN (*SET_ERROR_FUNC_PTR) (CSSM_GUID_PTR guid, uint32 error); #else typedef CSSM_RETURN (*REGISTER_FUNC_PTR) (); typedef CSSM_RETURN (*DE_REGISTER_FU
PAGE 92
Sample Add-in Module Code * *---------------------------------------------------------------------------*/ void _MyAddIn_Init(hInstance, loading) shl_t hInstance; int loading; { if (loading) { } else { dl_DeregisterServices(); } } /*-------------------------------------------------------------------------* Name: dl_GetCSSMFunctionPointer -------------------------------------------------------------------------- */ CSSM_RETURN dl_GetCSSMFunctionPointer (FunctionName, FunctionPtr) char *FunctionName; voi
PAGE 93
Sample Add-in Module Code else return CSSM_FAIL; } /*----------------------------------------------------------------------------* Name: AddInAuthenticate *---------------------------------------------------------------------------*/ CSSM_RETURN AddInAuthenticate(cssmCredentialPath, cssmSection) char* cssmCredentialPath; char* cssmSection; { /* if your add-in is CSP, the code needs to perform integrity checking here.
PAGE 94
Sample Add-in Module Code return dl_RegisterServices(); } /*----------------------------------------------------------------------------* Name: dl_RegisterServices *---------------------------------------------------------------------------*/ CSSM_RETURN dl_RegisterServices () { CSSM_REGISTRATION_INFO DLRegInfo; CSSM_MODULE_FUNCS Services; CSSM_SPI_DL_FUNCS DLFunctionTable; /* Fill in Registration information */ DLRegInfo.Initialize = DL_Initialize; DLRegInfo.
PAGE 95
Sample Add-in Module Code DLFunctionTable.Authenticate = DL_Authenticate; DLFunctionTable.DbOpen = DL_DbOpen; DLFunctionTable.DbClose = DL_DbClose; DLFunctionTable.DbCreate = DL_DbCreate; DLFunctionTable.DbDelete = DL_DbDelete; DLFunctionTable.DbImport = DL_DbImport; DLFunctionTable.DbExport = DL_DbExport; DLFunctionTable.DbSetRecordParsingFunctions = DL_DbSetRecordParsingFunctions; DLFunctionTable.DbGetRecordParsingFunctions = DL_DbGetRecordParsingFunctions; DLFunctionTable.
PAGE 96
Sample Add-in Module Code *---------------------------------------------------------------------------*/ CSSM_RETURN DL_Initialize(AppHandle, VerMajor, VerMinor) CSSM_MODULE_HANDLE AppHandle; uint32 VerMajor; uint32 VerMinor; { CSSM_API_MEMORY_FUNCS_PTR AppMemFuncs = NULL; /* Verify that this module is compatible with the requested version */ if( VerMajor != MY_ADDIN_MAJOR_VER || VerMinor != MY_ADDIN_MINOR_VER ) { dl_SetError(CSSM_DL_INCOMPATIBLE_VERSION); return CSSM_FAIL; } return CSSM_OK; } /*-------
PAGE 97
Sample Add-in Module Code CSSM_RETURN dl_SetError (error) uint32 error; { return ((SET_ERROR_FUNC_PTR)cssmSetError)(&my_addin_guid, error); } /*---------------------------------------------------------------------------*/ CSSM_DB_HANDLE DL_DbOpen ( DLHandle, DbName, AccessRequest, UserAuthentication, OpenParameters) CSSM_DL_HANDLE DLHandle; const char *DbName; const CSSM_DB_ACCESS_TYPE_PTR AccessRequest; const CSSM_USER_AUTHENTICATION_PTR UserAuthentication; const void *OpenParameters; { printf(“in DL_Db
PAGE 98
Sample Add-in Module Code CSSM_DB_HANDLE DL_DbCreate (DLHandle, DbName, DbInfo, AccessRequest, UserAuthentication, OpenParameters) CSSM_DL_HANDLE DLHandle; const char *DbName; const CSSM_DBINFO_PTR DbInfo; const CSSM_DB_ACCESS_TYPE_PTR AccessRequest; const CSSM_USER_AUTHENTICATION_PTR UserAuthentication; const void *OpenParameters; { printf(“in DL_DbCreate\n”); return( NULL ); } /*---------------------------------------------------------------------------*/ CSSM_RETURN DL_DbDelete (DLHandle, DbName, UserA
PAGE 99
Sample Add-in Module Code } /*---------------------------------------------------------------------------*/ CSSM_DB_UNIQUE_RECORD_PTR DL_DataInsert (DLDBHandle, RecordType, Attributes, Data) CSSM_DL_DB_HANDLE DLDBHandle; const CSSM_DB_RECORDTYPE RecordType; const CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes; const CSSM_DATA_PTR Data; { printf(“in DL_DataInsert\n”); return NULL; } /*---------------------------------------------------------------------------*/ CSSM_RETURN DL_DataDelete (DLDBHandle, RecordT
PAGE 100
Sample Add-in Module Code CSSM_BOOL *EndOfDataStore; CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes; CSSM_DATA_PTR Data; { printf(“in DL_DataGetFirst\n”); return NULL; } /*---------------------------------------------------------------------------*/ CSSM_DB_UNIQUE_RECORD_PTR DL_DataGetNext (DLDBHandle, ResultsHandle, EndOfDataStore, Attributes, Data) CSSM_DL_DB_HANDLE DLDBHandle; CSSM_HANDLE ResultsHandle; CSSM_BOOL *EndOfDataStore; CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes; CSSM_DATA_PTR Data; { pr
PAGE 101
Sample Add-in Module Code /*---------------------------------------------------------------------------*/ CSSM_RETURN DL_DataAbortQuery (DLDBHandle, ResultsHandle) CSSM_DL_DB_HANDLE DLDBHandle; CSSM_HANDLE ResultsHandle; { printf(“in DL_DataAbortQuery\n”); return CSSM_OK; } /*---------------------------------------------------------------------------*/ CSSM_RETURN DL_Authenticate (DLDBHandle, AccessRequest, UserAuthentication) CSSM_DL_DB_HANDLE DLDBHandle; const CSSM_DB_ACCESS_TYPE_PTR AccessRequest; cons
PAGE 102
Sample Add-in Module Code printf(“in DL_DbImport\n”); return CSSM_OK; } /*---------------------------------------------------------------------------*/ CSSM_RETURN DL_DbExport (DLDBHandle, DbDestinationName, DbSourceName, InfoOnly, UserAuthentication) CSSM_DL_HANDLE DLDBHandle; const char *DbDestinationName; const char *DbSourceName; CSSM_BOOL InfoOnly; const CSSM_USER_AUTHENTICATION_PTR UserAuthentication; { printf(“in DL_DbExport\n”); return CSSM_OK; } /*------------------------------------------------
PAGE 103
Sample Add-in Module Code CSSM_DB_RECORD_PARSING_FNTABLE_PTR DL_DbGetRecordParsingFunctions (DLHandle, DbName, RecordType) CSSM_DL_HANDLE DLHandle; const char* DbName; CSSM_DB_RECORDTYPE RecordType; { printf(“in DL_DbGetRecordParsingFunctions\n”); return NULL; } /*---------------------------------------------------------------------------*/ void * DL_PassThrough (DLHandle, PassThroughId, InputParams) CSSM_DL_DB_HANDLE DLHandle; uint32 PassThroughId; const void * InputParams; { printf(“in DL_PassThrough\n”
PAGE 104
Sample Add-in Module Code 104 Appendix C
PAGE 105
Functions Needed for Add-in Module Integrity D Table D-1 Functions Needed for Add-in Module Integrity Functions needed for Add-in CDSA Module Integrity File Function Description public.c ISL_RetrieveRootIssuerKey Code implemented by HP; used by AddInAuthenticate() ISL_RetrieveSelfCheckKey Skeletal code implemented by HP. The code must be completed by the add-in provider once a public key is generated. Used by ISL_SelfCheck().
PAGE 106
Functions Needed for Add-in Module Integrity IMPORTANT Be sure to include the cdsa/eislapi.h header file to access two external functions, which are called by the following external functions in callouts.c and addInMain.
PAGE 107
Trouble Shooting HP CDSA E Trouble Shooting HP CDSA This section contains the following information: • CDSA API errors and error codes • CDSA Start-up errors when calling CSSM_ModuleAttach Appendix E 107
PAGE 108
Trouble Shooting HP CDSA CDSA API Errors CDSA API Errors When CDSA functions do not complete their designated operations successfully, typically, 0, NULL, CSSM_FAIL, or CSSM_FALSE values may be returned to calling programs. In order to gain more information regarding the failure, the CDSA function CSSM_GetError() may be called to retrieve the error code of the last CDSA error detected by the system. The error codes are defined in the CDSA include file cssmerr.h (located in /usr/include/cdsa).
PAGE 109
Trouble Shooting HP CDSA CDSA API Errors CSSM_CSP_INVALID_DATA 1035 CSSM_CSP_INVALID_DATA_POINTER 1036 CSSM_CSP_INVALID_DATA_COUNT 1037 CSSM_CSP_INVALID_KEY 1038 CSSM_CSP_INVALID_KEY_POINTER 1039 CSSM_CSP_INVALID_KEY_LENGTH 1040 CSSM_CSP_INVALID_CRYPTO_DATA 1041 CSSM_CSP_INVALID_CRYPTO_DATA_POINTER 1042 CSSM_CSP_INVALID_SIGNATURE 1043 CSSM_CSP_INVALID_DEVICE_ID 1044 CSSM_CSP_INVALID_DIGEST 1045 CSSM_CSP_INVALID_ALGORITHM 1060 CSSM_CSP_INVALID_MODE 1061 CSSM_CSP_INVALID_PADDING 106
PAGE 110
Trouble Shooting HP CDSA CDSA API Errors CSSM_CSP_INVALID_ALG_PARAMS 1079 CSSM_CSP_INVALID_LABEL 1080 CSSM_CSP_INVALID_DATE 1081 CSSM_CSP_INVALID_SUBJECT_KEY 1082 CSSM_CSP_INVALID_KEYUSAGE_MASK 1083 CSSM_CSP_INVALID_KEYATTR_MASK 1084 CSSM_CSP_PASSPHRASE_INCORRECT 1100 CSSM_CSP_PASSPHRASE_SAME 1101 CSSM_CSP_PASSPHRASE_LENGTH_ERROR 1102 CSSM_CSP_PASSPHRASE_INVALID 1103 CSSM_CSP_PASSPHRASE_VERIFY_FAILED 1104 CSSM_CSP_INVALID_CONTEXT_ATTRIBUTE 1120 CSSM_CSP_INVALID_ATTR_KEY 1121 CSSM_C
PAGE 111
Trouble Shooting HP CDSA CDSA API Errors CSSM_CSP_INPUT_DATA_ERROR 1152 CSSM_CSP_EXCLUSIVE_UNAVAILABLE 1160 CSSM_CSP_UPDATE_WITHOUT_INIT 1161 CSSM_CSP_CALLBACK_FAILED 1166 CSSM_CSP_FILE_NOT_EXISTS 1180 CSSM_CSP_FILE_NOT_OPEN 1181 CSSM_CSP_FILE_OPEN_FAILED 1182 CSSM_CSP_FILE_CREATE_FAILED 1183 CSSM_CSP_FILE_READ_FAILED 1184 CSSM_CSP_FILE_WRITE_FAILED 1185 CSSM_CSP_FILE_CLOSE_FAILED 1186 CSSM_CSP_FILE_COPY_FAILED 1187 CSSM_CSP_FILE_DELETE_FAILED 1188 CSSM_CSP_FILE_FORMAT_ERROR 1189
PAGE 112
Trouble Shooting HP CDSA CDSA API Errors CSSM_CSP_PRIKEY_LOAD_ERROR 1330 CSSM_CSP_KEY_ALGID_MISMATCH 1350 CSSM_CSP_KEY_BLOBTYPE_INCORRECT 1351 CSSM_CSP_KEY_DELETE_FAILED 1352 CSSM_CSP_KEY_USAGE_INCORRECT 1353 CSSM_CSP_KEY_FORMAT_INCORRECT 1354 CSSM_CSP_KEY_KEYHEADER_INCONSISTENT 1355 CSSM_CSP_KEY_PROTECTED 1356 CSSM_CSP_KEY_INCOMPATIBLE_VERSION 1357 CSSM_CSP_LOGIN_FAILED 1400 CSSM_CSP_NOT_LOGGED_IN 1401 CSSM_CSP_ALREADY_LOGGED_IN 1402 CSSM_CSP_DEVICE_ERROR 1470 CSSM_CSP_DEVICE_MEMO
PAGE 113
Trouble Shooting HP CDSA CDSA API Errors CSSM_FWRITE_FAILED 10010 CSSM_FREAD_FAILED 10011 CSSM_CANT_FSEEK 10012 CSSM_INVALID_FILE_PTR 10013 CSSM_END_OF_FILE 10014 CSSM_FOPEN_FAILED 10015 CSSM_FCLOSE_FAILED 10016 CSSM_INVALID_FILENAME 10017 CSSM_INVALID_MODE 10018 CSSM_CANT_GET_USER_NAME 10020 CSSM_GETCWD_FAILED 10021 CSSM_ENV_VAR_NOT_FOUND 10022 CSSM_FREE_LIBRARY_FAILED 10030 CSSM_LOAD_LIBRARY_FAILED 10031 CSSM_CANT_GET_PROC_ADDR 10032 CSSM_CANT_GET_MODULE_HANDLE 10033 CSSM_C
PAGE 114
Trouble Shooting HP CDSA CDSA API Errors CSSM_UNLOCK_MUTEX_FAILED 10053 CSSM_CANT_CLOSE_MUTEX 10054 CSSM_INVALID_MUTEX_PTR 10055 CSSM_CANT_CREATE_SHARED_MEMORY_FILE 10060 CSSM_CANT_OPEN_SHARED_MEMORY_FILE 10061 CSSM_CANT_MAP_SHARED_MEMORY_FILE 10062 CSSM_CANT_UNMAP_SHARED_MEMORY_FILE 10063 CSSM_CANT_FLUSH_SHARED_MEMORY_FILE 10064 CSSM_CANT_CLOSE_SHARED_MEMORY_FILE 10065 CSSM_INVALID_PERMS 10066 CSSM_BAD_FILE_HANDLE 10067 CSSM_BAD_FILE_ADDR 10068 CSSM_BAD_PTR_PASSED 10100 CSSM_INVAL
PAGE 115
Trouble Shooting HP CDSA CDSA API Errors CSSM_INVALID_MANIFEST_ATTRIB_POINTER 10318 CSSM_MODE_UNSUPPORTED 10319 CSSM_KEY_LENGTH_UNSUPPORTED 10320 CSSM_IV_SIZE_UNSUPPORTED 10321 CSSM_PADDING_UNSUPPORTED 10322 CSSM_KEY_MODULUS_UNSUPPORTED 10323 CSSM_PARAM_NO_KEY 10324 CSSM_INVALID_SERVICE_MASK 10330 CSSM_INVALID_SUBSERVICEID 10331 CSSM_INVALID_INFO_LEVEL 10332 CSSM_MULTIPLE_ENCRYPT_ATEMPT 10333 CSSM_CONTEXT_FILTER_FAILED 10334 CSSM_MANIFEST_ATTRIBUTES_NOT_FOUND 10335 CSSM_REGISTER_SE
PAGE 116
Trouble Shooting HP CDSA CDSA API Errors CL Error Description CL Error Code CSSM_CL_UNKNOWN_FORMAT 3001 CSSM_CL_UNKNOWN_TAG 3002 CSSM_CL_INVALID_CONTEXT 3003 CSSM_CL_INVALID_CL_HANDLE 3004 CSSM_CL_INVALID_CC_HANDLE 3005 CSSM_CL_INVALID_CERT_POINTER 3006 CSSM_CL_INVALID_FIELD_POINTER 3007 CSSM_CL_INVALID_TEMPLATE 3008 CSSM_CL_INVALID_DATA_POINTER 3009 CSSM_CL_INVALID_SCOPE 3010 CSSM_CL_CERT_CREATE_FAIL 3012 CSSM_CL_CERT_GET_FIELD_VALUE_FAIL 3014 CSSM_CL_CERT_GET_KEY_INFO_FAIL 3015
PAGE 117
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 118
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 119
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 120
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 121
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 122
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 123
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 124
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 125
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 126
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 127
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 128
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 129
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_
PAGE 130
Trouble Shooting HP CDSA CDSA API Errors CSSM_CL_CRL_ADD_CERT_FAIL 3032 CSSM_CL_CRL_REMOVE_CERT_FAIL 3033 CSSM_CL_CRL_SIGN_FAIL 3034 CSSM_CL_CRL_VERIFY_FAIL 3035 CSSM_CL_CRL_GET_FIELD_VALUE_FAIL 3036 CSSM_CL_CRL_ABORT_QUERY_FAIL 3037 CSSM_CL_CRL_DESCRIBE_FORMAT_FAIL 3038 CSSM_CL_INVALID_DATA 3040 CSSM_CL_INITIALIZE_FAIL 3041 CSSM_CL_UNINITIALIZE_FAIL 3042 CSSM_CL_IS_CERT_IN_CRL_FAIL 3043 CSSM_CL_INVALID_RESULTS_HANDLE 3044 CSSM_CL_SIGN_SCOPE_NOT_SUPPORTED 3045 CSSM_CL_VERIFY_SCOPE_