Note that this utility is defined as cdsa_sign by CDSA$SYMBOLS.COM. The cdsa_sign utility takes a service provider product, application, or CSSM binary, plus the manufacturer certificates generated using certgen, and creates a manifest file. Manifest files have a file extension of .ESW. This utility can be used for Integrity signing and for Export signing. The options for each function are totally different, so they are described here in separate sections. Integrity signing for a module must always be done before Export signing.
1 – Integrity Signing
Integrity signing is optional for applications and mandatory
for plug-in modules.
SYNOPSIS
cdsa_sign module_name subdirectory type signer_cert password
cert_chain module_guid access_tag pvcapi_tag pvcspi_tag priv_tag
OPTIONS
module_ name
The name of the module being signed.
subdirectory
The subdirectory (in UNIX directory format) containing the
module being signed.
type
The module type, which can be one of the following:
A - Service provider module
C - CSSM
D - Application sharable image
E - Elective Module Manager
G - Generic image
X - Application executable
signer_cert
The name of the certificate being used to sign the module.
password
The password for the private key of the certificate being used
to sign the module.
cert_chain
A text file identifying the Integrity certificates to be
embedded. This file has the following form:
number
cert1
cert2
.
.
.
where number is the number of certificates being embedded,
and cert1 and cert2 are the names of certificates to be
embedded; for example:
2
introot.cer
intmanf.cer
module_guid
The string version of the globally unique identifier of the
module being signed (as installed in MDS).
access_tag
For installer modules, this is the base-64 encoded, unsigned,
32-bit value (in big-endian) of the access type defined for
CDSA_DB_ACCESS_TYPE. For modules other than installers,
specify "XX" for this parameter.
pvcapi_tag
Specifies whether pointer validation checking is to be done on
the application program interface boundaries.
The values for the CDSA_PVC_API tag are as follows:
"EXEMPT" Specifies an application manifest, where the program
can set the PVC flag in cssm_Init.
"OFF" Specifies a CSSM manifest, where the PVC flag is
not applicable.
"XX" Specifies that the CDSA_PVC_API tag is not in the
manifest.
pvcspi_tag
Specifies whether pointer validation checking is to be done on
the service provider interface boundaries.
The values for the CDSA_PVC_SPI tag are as follows:
"EXEMPT" Specifies a service provider manifest, where the
program can set the PVC flag in cssm_Init.
"OFF" Specifies a CSSM manifest, where the PVC flag is
not applicable.
"XX" Specifies that the CDSA_PVC_SPI tag is not in the
manifest.
priv_tag
The CDSA_PRIV tag in the manifest. Currently, no CDSA_PRIV tag
values are defined, so specify "XX" to indicate that this tag
is not in the manifest.
2 – Integrity Signing Example
The following is an example of the cdsa_sign command for Integrity
signing:
$ define cdsa_sign "/cdsa_tempdir/addin"
$ set default cdsa_sysdir:[sign]
$ cdsa_sign stubcsp300_shr cdsa_sign A intmods.cer -
_$ intmods intchain. {79BDE0F0-4541-11d3-A8F3-0090271D266F} -
_$ "XX" "EXEMPT" "XX" "XX"
The first command defines the logical cdsa_sign (which is used
internally by the code) in UNIX directory format as the
directory where the executable to be signed can be found.
* stubcsp300_shr is the name of the module being signed.
* cdsa_sign is the logical pointing to the directory containing
the module.
* A indicates that stubcsp300_shr is a service provider module.
* intmods.cer is the name of the certificate being used to sign
the module.
* intmods is the password for the private key of the certificate
(intmods.cer) being used to sign the module.
* intchain. is the name of the text file containing the names of
the certificates in the Integrity chain.
* {79BDE0F0-4541-11d3-A8F3-0090271D266F} is the GUID of the service
provider module.
* "XX" is the access tag, which indicates that this is not an
installer module.
* "EXEMPT" is the CDSA_PVC_API tag specifying that this is an
application manifest.
* "XX" specifies that the CDSA_PVC_SPI tag is not in the manifest.
* "XX" specifies that the CDSA_PRIV tag is not in the manifest.
3 – Export Signing
Export signing is optional. Before you can do Export signing for a
module, you must already have done Integrity signing and a manifest
must exist. For more information about Export signing, refer to the
Intel CDSA Manifest Signing Tools User's Guide.
SYNOPSIS
cdsa_sign manifest_path signer_cert password cert_chain usee_tag
priv_tag pvcapi_tag pvcspi_tag
OPTIONS
manifest_path
The path (in UNIX directory format) to the manifest created in the
Integrity signing phase.
signer_cert
The name of the certificate being used to sign the module.
password
The password for the private key of the certificate being used to
sign the module.
cert_chain
A text file identifying the Export certificates to be embedded.
This file has the following form:
number
cert1
cert2
.
.
.
where number is the number of certificates being embedded, and
cert1 and cert2 are the names of certificates to be embedded;
for example:
2
introot.cer
intmanf.cer
usee_tag
The base-64 encoded value of the CSSM_USEE_TAG value.
This value must be enclosed within double quotation marks.
priv_tag
The CDSA_PRIV tag in the manifest. Currently, no CDSA_PRIV tag
values are defined, so specify "XX" to indicate that this tag is
not in the manifest.
pvcapi_tag
The CDSA_PVC_API tag for application and CSSM manifests.
The values are:
"EXEMPT" Specifies an application manifest.
"OFF" Specifies a CSSM manifest.
"XX" Specifies that the CDSA_PVC_API tag is not
in the manifest.
pvcspi_tag
The CDSA_PVC_SPI tag for application and CSSM manifests.
The values are:
"EXEMPT" Specifies an application manifest.
"OFF" Specifies a CSSM manifest.
"XX" Specifies that the CDSA_PVC_SPI tag is not
in the manifest.
4 – Export Signing Example
The following is an example of the cdsa_sign command for Export signing:
$ cdsa_sign /cdsa_tempdir/des2/des2.esw exapps.cer secret exchain. -
_$ "AAAAAQ==" "XX" "EXEMPT" "XX"
In this example:
* /cdsa_tempdir/des2/des2.esw is the path (in UNIX format)
to the manifest created during Integrity signing.
* exapps.cer is the name of the certificate being used to sign
the module.
* secret is the password for the private key of the certificate
being used to sign the module.
* exchain. is the name of the text file identifying the
Export certificate chain to be embedded in the signature.
* "AAAAAQ==" is the base-64 encoded value of the
CDSA_USEE_DOMESTIC tag.
* "XX" specifies that the CDSA_PRIV tag is not in the manifest.
* "EXEMPT" is the CDSA_PVC_API tag specifying that this is an
application manifest.
* "XX" specifies that the CDSA_PVC_SPI tag is not in the
manifest.