A CDSA add-in module is a dynamically-linkable library, composed of functions that implement some or all of the CSSM Module Interfaces. Add-in module functionality is partitioned into two areas:
Add-in modules provide one or more categories of security services to applications. The service categories are Cryptographic Service Provider (CSP) services, Trust Policy (TP) services, Authorization Computation (AC) services, Certificate Library (CL) services, and Data Storage Library (DL) services. Each security service contains one or more implementation instances, called sub-services. For a CSP service providing access to hardware tokens, a sub-service would represent a slot. For a DL service provider, a sub-service would represent a type of persistent storage. These sub-services each support the module interface for their respective service categories.
This Part describes the module interface functions in the trust policy service category.
Each module, regardless of the security services it offers, has the same set of administrative responsibilities. Every module must expose functions which allow CSSM to indicate events such as module attach and detach. In addition, as part of the attach operation, every module must be able to verify its own integrity, verify the integrity of CSSM, and register with CSSM. Detailed information about add-in module structure, administration, and interfaces can be found in Part 9 of this Technical Standard.
The CSSM Trust Policy API defines the generic operations that each TP module supports. Each module may choose to implement the required subset of these operations for the policy it serves.
The CSSM API defines a pass-through function, which allows each module to provide additional functions, along with those defined by the CSSM Trust Policy API. When a TP function determines the trustworthiness of performing an action, it may invoke Certificate Library functions and Data storage Library functions to carry out the mechanics of the approved action. TP modules must be installed and registered with the CSSM Trust Policy Services Manager. Applications may query the Services Manager to retrieve properties of the TP module, as defined during installation.
CSSM manages function tables provided by the TP module and the application. A function upcall table is used to register application memory allocation and de-allocation functions with CSSM. The Trust Policy module will have access to the upcall table. The Trust Policy module registers its function table with CSSM at library load time using CSSM_RegisterServices. See the CSSM Add-in Module Structure and Administration Specification for details of module installation and registration.