A manifest is composed of header information followed by a list of sections. A section unambiguously describes a referent. The use of metadata is defined below.3.2.1
-
-
Manifest-Version: 2.0
Optionally, a version required for use may be specified:
-
-
Required-Version: 2.0
Well formed manifest sections begin with the Name token and a corresponding referent as a value.
For a listing of the common headers and their meanings see the appendix.
Multiple hash algorithms may be listed and the corresponding hash value must be present for each algorithm used.
Name values must be unique within a manifest. For example:
-
-
Name: SomeObject
MAGIC: UsesMetaData
Integrity-TrustedSigner: Some Certificate
Name: SomeObject
Digest_Algorithms: MD5
MD5-Digest: xxxx
is not a valid construction, because the sections cannot be distinguished.
If duplicate sections are encountered only the first is recognized. Nonrecognized headers are ignored.
In this specification, terminals are specified in all capital letters with non-terminals being specified in lower case. An asterisk indicates 0 or more of the item that follows, while a plus (+) indicates 1 or more of the item that follows.
The format specification for the header of a manifest description is:
-
-
manifest:"Manifest-Version: 2.0"<newline>+<manifest_entry>*
manifest_entry:<section><newline>*
The format specification for signer information is:
-
-
signer_info:"Signature-Version: 2.0" \
<newline>+<header_attr>*<newline>+ \
<signer_info_ent>+signer_info_ent:<section><newline>*
The format specification for a section (both manifest and signer
information) is:
-
-
header_attr:<attribname>: <value><newline>
wspace_sep_lst:<headerchar>+<wspace_next>*
wspace_next:\s+<headerchar>+
section:<nameheader><sect_line>*<newline>
sect_line:{<sect_name>|<digest_alg>|<digest_val>|<sect_attr>}
nameheader:"Name:" <value><newline>
sect_name:"SectionName:" <value><newline>
digest_alg:"Digest-Algorithms:" <value><newline>
digest_val:<digest_name_val>":" <value><newline>
digest_name_val:<attribname>"-Digest"
sect_attr:<attribname>: <value><newline>
value:<otherchar>*<cont>*
attribname:<alphanum><headerchar>*
cont:<newline> <otherchar>+
newline:{\r\n|\n}
headerchar:{<alphanum>|_|-}
alphanum:[A-Za-z0-9]
otherchar:.
number:[0-9]+
A section begins with the Name token and ends when a new section begins or an end of file is encountered.
Metadata is described by using name:value pairs, where the format of
name specifies both
the metadata set being used as well as the name element from the set:
-
-
(Meta Data Set ID)-(Element Name):Value
For example the Integrity Core set element TrustedSigner would be described as:
-
-
Integrity-TrustedSigner: Some Certificate
-
-
Name: ExampleFile
SectionName: Example of ordered operations on a referent
Ordered-Attributes: SHA1_Digest, Compression
Digest_Algorithms: SHA1
SHA1_Digest: <base64 encoded value>
Compression: SomeSuperFastAlgo
This manifest section specifies that the referent has ordered attributes of SHA1_Digest and Compression. The values that appear as the Ordered-Attributes, must be further qualified by other attributes appearing within this manifest section. The values of the Ordered-Attributes token must be an exact match with the names for other attributes within the section.
The listed order is relative to the signing operation, which implies that the verification operation must reverse the order of these operations.
-
-
Manifest-Version: 2.0
DublinCore-Title: Signed Manifest Format Proposals
Name: http://developer.intel.com/ial/security/CSSMSignedManifest.ps
SectionName: Intel Manifest Format
Digest_Algorithms: MD5
MD5-Digest: (base64 representation of MD5 hash)
MAGIC: UsesMetaData
Integrity-Verifydata: Reference-Value
DublinCore-Title: Signed Manifest File Format
DublinCore-Subject: Manifest Format
DublinCore-Author: CSSM Manifest Team
DublinCore-Language: ENG
DublinCore-Form: text/postscript
Name: http://www.javasoft.com/jdk/SignedManifest.html
SectionName: JavaSoft Manifest Format
Digest_Algorithms: MD5
MD5-Digest: (base64 representation of MD5 hash)
MAGIC: UsesMetaData
Integrity-Verifydata: Reference-Value
DublinCore-Title: JavaSoft Signed Manifest Specification
DublinCore-Subject: Manifest Format
DublinCore-Author: Someone from JavaSoft
DublinCore-Language: ENG
DublinCore-Format: text/html
-
-
Signature-Version: 2.0
General information supplied by the signer that is not specific to any particular referent should be included in this header.
Referents appearing in the manifest sections but not in the signer's information are not included in the hash calculation. This allows subsets of the manifest to be signed.
A signature section begins with the Name token. There must be an exact match between a Name:value pair in the signature section and a Name.value pair in the manifest file.
The following are required:
-
-
Name: URL or relative pathname
Digest_Algorithms: MD5
(algorithm)-Digest: (base-64 representation of hash)
-
-
Signature-Version: 2.0
Name: ./MyFiles/File1
SectionName: File1 Section
Digest_Algorithms: MD5
MD5-Digest: (base64 representation of MD5 hash)
Name: ./MyFiles/File2
Digest_Algorithms: MD5
MD5-Digest: (base64 representation of MD5 hash)
Contents | Next section | Index |