Previous section.

Common Security: CDSA and CSSM, Version 2
Copyright © 1999 The Open Group

Introduction

CDSA Add-In Module Overview


Figure: CDSA Add-In Module Structure

A CDSA add-in module is a dynamically-linkable library, composed of functions that implement some or all of the CSSM Module Interfaces. Add-in module functionality is partitioned into two areas:

Add-in modules provide one or more categories of security services to applications. The service categories are Cryptographic Service Provider (CSP) services, Trust Policy (TP) services, Authorization Computation (AC) services, Certificate Library (CL) services, and Data Storage Library (DL) services. Each security service contains one or more implementation instances, called sub-services. For a CSP service providing access to hardware tokens, a sub-service would represent a slot. For a DL service provider, a sub-service would represent a type of persistent storage. These sub-services each support the module interface for their respective service categories.

This Part part describes the module interface functions in the DL service category.

Each module, regardless of the security services it offers, has the same set of administrative responsibilities. Every module must expose functions that allow CSSM to indicate events such as module attach and detach. In addition, as part of the attach operation, every module must be able to verify its own integrity, verify the integrity of CSSM, and register with CSSM. Detailed information about add-in module structure, administration, and interfaces can be found in Part 9 of this Technical Standard.

Data Storage Library Overview

A module with data storage library (DL) services provides access to persistent data stores of certificates, certificate revocation lists (CRLs), keys, policies and other security-related objects. Stable storage can be provided by a:

The implementation of DL operations should be semantically free. For example, a DL operation which inserts a trusted X.509 certificate into a data store should not be responsible for verifying the trust on that certificate. The semantic interpretation of security objects should be implemented in TP services, layered services, and applications.

A pass-through function is defined in the DL API. This mechanism allows each DL to provide additional functions to store and retrieve certificates, CRLs and other security-related objects. Pass-through functions may be used to increase functionality or enhance performance.


Click here to return to the publication details.

Contents Next section Index