HELPLIB.HLB  —  CDSA
"EXEMPT" Specifies an application manifest, where the program can set the PVC flag in cssm_Init. "OFF" Specifies a CSSM manifest, where the PVC flag is not applicable. "XX" Specifies that the CDSA_PVC_API tag is not in the manifest. pvcspi_tag Specifies whether pointer validation checking is to be done on the service provider interface boundaries. The values for the CDSA_PVC_SPI tag are as follows: "EXEMPT" Specifies a service provider manifest, where the program can set the PVC flag in cssm_Init. "OFF" Specifies a CSSM manifest, where the PVC flag is not applicable. "XX" Specifies that the CDSA_PVC_SPI tag is not in the manifest. priv_tag The CDSA_PRIV tag in the manifest. Currently, no CDSA_PRIV tag values are defined, so specify "XX" to indicate that this tag is not in the manifest.

7.2  –  Integrity Signing Example

   The following is an example of the cdsa_sign command for Integrity
   signing:

      $ define cdsa_sign "/cdsa_tempdir/addin"
      $ set default cdsa_sysdir:[sign]
      $ cdsa_sign stubcsp300_shr cdsa_sign A intmods.cer -
      _$ intmods intchain. {79BDE0F0-4541-11d3-A8F3-0090271D266F} -
      _$ "XX" "EXEMPT" "XX" "XX"

      The first command defines the logical cdsa_sign (which is used
      internally by the code) in UNIX directory format as the
      directory where the executable to be signed can be found.

      * stubcsp300_shr is the name of the module being signed.
      * cdsa_sign is the logical pointing to the directory containing
        the module.
      * A indicates  that stubcsp300_shr is a service provider module.
      * intmods.cer is the name of the certificate being used to sign
        the module.
      * intmods is the password for the private key of the certificate
        (intmods.cer) being used to sign the module.
      * intchain. is the name of the text file containing the names of
        the certificates in the Integrity chain.
      * {79BDE0F0-4541-11d3-A8F3-0090271D266F} is the GUID of the service
        provider module.
      * "XX" is the access tag, which indicates that this is not an
        installer module.
      * "EXEMPT" is the CDSA_PVC_API tag specifying that this is an
        application manifest.
      * "XX" specifies that the CDSA_PVC_SPI tag is not in the manifest.
      * "XX" specifies that the CDSA_PRIV tag is not in the manifest.

7.3  –  Export Signing

   Export signing is optional. Before you can do Export signing for a
   module, you must already have done Integrity signing and a manifest
   must exist.  For more information about Export signing, refer to the
   Intel CDSA Manifest Signing Tools User's Guide.

 SYNOPSIS

   cdsa_sign manifest_path signer_cert password cert_chain usee_tag
   priv_tag pvcapi_tag pvcspi_tag

 OPTIONS

   manifest_path
      The path (in UNIX directory format) to the manifest created in the
      Integrity signing phase.

   signer_cert
      The name of the certificate being used to sign the module.

   password
      The password for the private key of the certificate being used to
      sign the module.

   cert_chain
      A text file identifying the Export certificates to be embedded.
      This file has the following form:

        number
        cert1
        cert2
        .
        .
        .

        where number is the number of certificates being embedded, and
        cert1 and cert2 are the names of certificates to be embedded;
        for example:

             2
             introot.cer
             intmanf.cer

   usee_tag
      The base-64 encoded value of the CSSM_USEE_TAG value.
      This value must be enclosed within double quotation marks.

   priv_tag
      The CDSA_PRIV tag in the manifest.  Currently, no CDSA_PRIV tag
      values are defined, so specify "XX" to indicate that this tag is
      not in the manifest.

   pvcapi_tag
      The CDSA_PVC_API tag for application and CSSM manifests.
      The values are:

        "EXEMPT" Specifies an application manifest.
        "OFF"    Specifies a CSSM manifest.
        "XX"     Specifies that the CDSA_PVC_API tag is not
                 in the manifest.

   pvcspi_tag
      The CDSA_PVC_SPI tag for application and CSSM manifests.
      The values are:

        "EXEMPT" Specifies an application manifest.
        "OFF"    Specifies a CSSM manifest.
        "XX"     Specifies that the CDSA_PVC_SPI tag is not
                 in the manifest.

7.4  –  Export Signing Example

   The following is an example of the cdsa_sign command for Export signing:

      $ cdsa_sign /cdsa_tempdir/des2/des2.esw exapps.cer secret exchain. -
      _$ "AAAAAQ==" "XX" "EXEMPT" "XX"

      In this example:

        * /cdsa_tempdir/des2/des2.esw is the path (in UNIX format)
          to the manifest created during Integrity signing.
        * exapps.cer is the name of the certificate being used to sign
          the module.
        * secret is the password for the private key of the certificate
          being used to sign the module.
        * exchain. is the name of the text file identifying the
          Export certificate chain to be embedded in the signature.
        * "AAAAAQ==" is the base-64 encoded value of the
           CDSA_USEE_DOMESTIC tag.
        * "XX" specifies that the CDSA_PRIV tag is not in the manifest.
        * "EXEMPT" is the CDSA_PVC_API tag specifying that this is an
           application manifest.
        * "XX" specifies that the CDSA_PVC_SPI tag is not in the
           manifest.

8  –  CDSA$X5092XML.EXE

   The x5092xml utility reads an X509 certificate file, extracts the
   subject name, and writes the name as XML to an XML file.  This tool
   is useful for producing example template files that can be modified.

 SYNOPSIS

   x5092xml infile outfile

 OPTIONS

   infile
      The name of the X509 certificate file from which the subject
      name is being extracted.

   outfile
      The name of the XML file to which the name is to be written.

8.1  –  EXAMPLE

      x5092xml introot.cer introot.xml

9  –  CDSA$VALIDATE.EXE

   The CDSA$VALIDATE program allows the user to check the validity of a
   manifest against the file that it was created from.  It performs the
   same functionality as programmatically calling CDSA_FileValidate, but
   from a stand-alone program.

 SYNOPSIS

   $ CDSA$VALIDATE filename

 OPTIONS

   filename
     The full file specification of the file for which the manifest was
     created.  Currently, the filename must be a Windows style path in
     order to be compatible with CDSA.  The name of the manifest that
     is the digital signature of 'filename' is calculated from the
     target filename.  The manifest has a file extension of "*.<ext>_ESW"
     where <ext> is the extension of the target file.

 EXAMPLE

   $ @sys$manager:cdsa$symbols
   $ validate /user1/mydirectory/foobar.pcsi

 RETURNS

   CDSA$VALIDATE will return SS$_NORMAL for success and 0 if the validation
   fails, or an error occurs.

10  –  CDSA FileValidate

 NAME
   CDSA_FileValidate - Validate a manifest file against its target file

 SYNOPSIS
   #include <cssm.h>

   int CDSA_FileValidate( char         *target_file,
                          CSSM_RETURN  *CDSA_Ret_Status );

 LIBRARY
   Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

 PARAMETERS

   target_file     (input)    The full filespec of the file to be validated.
   CDSA_Ret_Status (output)   A CDSA status code.  If non-zero, the status
                              may be decoded using the routine
                              Decode_CDSA_Error.

 DESCRIPTION
   This routine validates a target file using the associated manifest file.
   It is the callable equivalent of CDSA$VALIDATE.EXE.

 RETURN VALUE

   VMS_Success or VMS_Failure

 ERRORS

   Errors are described in the CDSA technical standard.  See CDSA.

     CSSM_OK
     CSSM_ERRCODE_SELF_CHECK_FAILED
     CSSMERR_SD_NO_TARGETFILE
     CSSMERR_SD_NO_MANIFESTFILE
     CSSM_ERRCODE_MEMORY_ERROR
     CSSMERR_SD_MANIFESTFILE_OPEN_FAILED
     CSSMERR_SD_MANIFESTFILE_READ_FAILED
     CSSMERR_SD_TARGETFILE_STRING_NOT_FOUND
     CSSMERR_SD_TARGETFILE_TERMINATOR_NOT_FOUND

11  –  Decode CDSA Error

 NAME
   Decode_CDSA_Error - Turn a CDSA error code into the corresponding message

 SYNOPSIS
   #include <cssmerr.h>

   void Decode_CDSA_Error( CSSM_RETURN Error_Code,
                           char        *Error_Label_String,
                           char        *Error_String);

 LIBRARY
   Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

 PARAMETERS
   Error_Code         (input)    The numeric error code return by CDSA
                                 routines.
   Error_Label_String (output)   The string representing the error code
                                 itself.
   Error_String       (output)   The string describing the error.

 DESCRIPTION
   This routine converts a numeric CDSA error code into two strings.
   Error_Label_String is a string representing the error that can be used
   in error-checking code.  Error_String is a description of the error.

 RETURN VALUE

   None

 ERRORS

   None

12  –  Print CDSA Error

 NAME
   Print_CDSA_Error - Output the CDSA error strings to SYS$OUTPUT

 SYNOPSIS
   #include <cssmerr.h>

   void Print_CDSA_Error( CSSM_RETURN  Error_Code);

 LIBRARY
   Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

 PARAMETERS
   Error_Code         (input)    The numeric error code return by CDSA
                                 routines.

 DESCRIPTION
   This routine outputs the strings returned by Decode_CDSA_Error to
   SYS$OUTPUT.  It provides a simple way report CDSA errors from a user
   program.

 RETURN VALUE

   None

 ERRORS

   None

13  –  Human Recognition Service (HRS)

   CDSA/HRS (Common Data Security Architecture/Human Recognition Service)
   is a CSSM (Common Security Services Manager) EMM (Elective Module
   Manager).  It is intended to provide a high-level generic
   authentication model, suited to use for any form of human
   authentication.  Particular emphasis has been made in the design on
   its suitability for authentication using biometric technology.

   It covers the basic functions of Enrollment, Verification, and
   Identification, and includes a database interface to allow a
   biometric service provider (BSP) to manage the identification
   population for optimum performance.

   It also provides primitives which allow the application to manage
   the capture of samples on a client, and the Enrollment,
   Verification, and Identification, on a server.

   The HRS is designed for use by both application developers and
   biometric technology developers.  To make the integration of the
   technology as straightforward and simple as possible (thus
   enhancing its commercial viability), the approach taken is to
   hide or encapsulate to the extent possible the complexities of
   the biometric technology.  This approach also serves to extend
   the generality of the interface to address a larger set of
   potential biometric technologies and applications.

14  –  CDSA V2 New Features

   New Features in CDSA V2.2

   - Full support for Secure Delivery, a mechanism used to produce and
     validate digital signatures for PCSI kits to be installed on OpenVMS.

   - Version 0.9.7E of the OpenSSL crypto routines.

   New features in CDSA V2.1

   - The ability to use CDSA$SIGN.EXE to create manifests for generic
     files, rather than just executable files.

   - CDSA$VALIDATE.EXE, which allows checking a generic manifest
     against the file for which it was created.  Also available is
     the new routine CDSA_FileValidate, which can be called
     programmatically to perform the same function.

   - Version 0.9.7D of the OpenSSL crypto routines.

   New features in CDSA V2.0

   - The tools to let application developers create certificates and
     sign their applications and optionally participate in bilateral
     authentication with CSSM.

   - The tools to allow developers to create new plug-in modules
     written for an existing category of service, and to have the
     modules participate in bilateral authentication with CSSM.

   - The tools to allow developers to create new categories of
     service and write plug-in modules to the new interface (and
     participate in bilateral authentication with CSSM).

   - New example programs to demonstrate the steps for writing
     and signing applications and plugin modules.

   - Version 0.9.6G of the OpenSSL crypto routines.
Close Help