HP OpenVMS Systems Documentation

Content starts here
HP Open Source Security for OpenVMS Volume 1: Common Data Security Architecture > Chapter 4 CDSA Utility Programs

CDSA$SIGN.EXE

  Table of Contents

  Glossary

  Index

Note that this utility is defined as cdsa_sign by CDSA$SYMBOLS.COM. The cdsa_sign utility takes a service provider product, application, or CSSM binary, plus the manufacturer certificates generated using certgen, and creates a manifest file. Manifest files have a file extension of .ESW.

This utility can be used for Integrity signing and for Export signing. Integrity signing creates a new manifest, while Export signing adds signers to an existing manifest. The options for each function are totally different, so they are described here in separate sections. Integrity signing for a module must always be done before Export signing.

Integrity Signing

Integrity signing is optional for applications and mandatory for add-in modules.

SYNOPSIS

cdsa_sign module_name subdirectory type signer_cert password cert_chain
module_guid
access_tag pvcapi_tag pvcspi_tag priv_tag

OPTIONS

module_name 

The name of the module being signed.

subdirectory 

The subdirectory (in UNIX directory format) containing the module being signed.

type 

The module type, which can be one of the following:

A 

Service provider module

C 

CSSM

D 

Application sharable image

E 

Elective Module Manager

G 

Generic file

X 

Application executable

signer_cert 

The name of the certificate being used to sign the module.

password 

The password for the private key of the certificate being used to sign the module.

cert_chain 

A text file identifying the certificates to be embedded. This file has the following form:

number
cert1

cert2
.
.
.

where number is the number of certificates being embedded, and cert1 and cert2 are the names of certificates to be embedded; for example:

2
introot.cer
intmanf.cer
module_guid 

The string version of the globally unique identifier of the module being signed (as installed in MDS).

access_tag 

For installer modules, this is the base-64 encoded, unsigned, 32-bit value (in big-endian) of the access type defined for CDSA_DB_ACCESS_TYPE. For modules other than installers, specify "XX" for this parameter.

pvcapi_tag 

Specifies whether pointer validation checking is to be done on the application program interface boundaries. (Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_API tag are as follows:

“EXEMPT” 

Specifies an application manifest, where the program can set the PVC flag in cssm_Init().

“OFF” 

Specifies a CSSM manifest, where the PVC flag is not applicable.

“XX” 

Specifies that the CDSA_PVC_API tag is not in the manifest.

pvcspi_tag 

Specifies whether pointer validation checking is to be done on the service provider interface boundaries. (Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_SPI tag are as follows:

“EXEMPT” 

Specifies a service provider manifest, where the program can set the PVC flag in cssm_Init().

“OFF” 

Specifies a CSSM manifest, where the PVC flag is not applicable.

“XX” 

Specifies that the CDSA_PVC_SPI tag is not in the manifest.

priv_tag 

The CDSA_PRIV tag in the manifest. No CDSA_PRIV tag values are defined, so specify "XX" to indicate that this tag is not in the manifest.

EXAMPLE

The following is an example of the cdsa_sign command for Integrity signing:

$ define cdsa_sign "/cdsa_tempdir/addin"
$ set default cdsa_sysdir:[sign]
$ cdsa_sign stubcsp300_shr cdsa_sign A intmods.cer -
_$ intmods intchain. {79BDE0F0-4541-11d3-A8F3-0090271D266F} -
_$ "XX" "EXEMPT" "XX" "XX"

The first command defines the logical cdsa_sign (which is used internally by the code) in UNIX directory format as the directory where the executable to be signed can be found.

  • stubcsp300_shr is the name of the module being signed.

  • cdsa_sign is the logical pointing to the directory containing the module.

  • A indicates that stubcsp300_shr is a service provider module.

  • intmods.cer is the name of the certificate being used to sign the module.

  • intmods is the password for the private key of the certificate (intmods.cer) being used to sign the module.

  • intchain. is the name of the text file containing the names of the certificates in the certificate chain.

  • {79BDE0F0-4541-11d3-A8F3-0090271D266F} is the GUID of the service provider module.

  • "XX" is the access tag, which indicates that this is not an installer module.

  • "EXEMPT" is the CDSA_PVC_API tag specifying that this is an application manifest.

  • "XX" specifies that the CDSA_PVC_SPI tag is not in the manifest.

  • "XX" specifies that the CDSA_PRIV tag is not in the manifest.

Export Signing

Export signing is optional. Before you can do Export signing for a module, you must already have done Integrity signing and a manifest must exist. For more information about Export signing, refer to the Intel Common Data Security Architecture Manifest Signing Tools User’s Guide.

SYNOPSIS

cdsa_sign manifest_path signer_cert password cert_chain usee_tag priv_tag pvcapi_tag pvcspi_tag

OPTIONS

manifest_path 

The path (in UNIX directory format) to the manifest created in the Integrity signing phase.

signer_cert 

The name of the certificate being used to sign the module.

password 

The password for the private key of the certificate being used to sign the module.

cert_chain 

A text file identifying the certificates to be embedded. This file has the following form:

number
cert1
cert2
.
.
.

where number is the number of certificates being embedded, and cert1 and cert2 are the names of certificates to be embedded; for example:

2
introot.cer
intmanf.cer
usee_tag 

The base-64 encoded value of the CSSM_USEE_TAG value. This value must be enclosed within double quotation marks.

priv_tag 

The CDSA_PRIV tag in the manifest. No CDSA_PRIV tag values are defined, so specify "XX" to indicate that this tag is not in the manifest.

pvcapi_tag 

Specifies whether pointer validation checking is to be done on the application program interface boundaries. (Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_API tag are as follows:

“EXEMPT” 

Specifies an application manifest, where the program can set the PVC flag in cssm_Init.

“OFF” 

Specifies a CSSM manifest, where the PVC flag is not applicable.

“XX” 

Specifies that the CDSA_PVC_API tag is not in the manifest.

pvcspi_tag 

Specifies whether pointer validation checking is to be done on the service provider interface boundaries. (Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_SPI tag are as follows:

“EXEMPT” 

Specifies a service provider manifest, where the program can set the PVC flag in cssm_Init.

“OFF” 

Specifies a CSSM manifest, where the PVC flag is not applicable.

“XX” 

Specifies that the CDSA_PVC_SPI tag is not in the manifest.

EXAMPLE

The following is an example of the cdsa_sign command for Export signing:

$ cdsa_sign /cdsa_tempdir/des2/des2.esw exapps.cer secret exchain. -
_$ "AAAAAQ==" "XX" "EXEMPT" "XX"

In this example:

  • /cdsa_tempdir/des2/des2.esw is the path (in UNIX directory format) to the manifest created during Integrity signing.

  • exapps.cer is the name of the certificate being used to sign the module.

  • secret is the password for the private key of the certificate being used to sign the module.

  • exchain. is the name of the text file identifying the certificates to be embedded in the signature.

  • "AAAAAQ==" is the base-64 encoded value of the CDSA_USEE_DOMESTIC tag.

  • "XX" specifies that the CDSA_PRIV tag is not in the manifest.

  • "EXEMPT" is the CDSA_PVC_API tag specifying that this is an application manifest.

  • "XX" specifies that the CDSA_PVC_SPI tag is not in the manifest.