Previous section.
Common Security: CDSA and CSSM
Copyright © 1997 The Open Group
Data Structures
Object Pointers
Many of the EISL objects form a hierarchical "contains" relationship.
The larger, containing object defines an iterator object that
enumerates the smaller objects. The smaller object defines a function
that returns the larger object that contains it. A table summarizing
the relationships among the EISL object types is provided at the end of
this section.
Iterator Objects
Iterators are "disposable" objects created from verified objects that
contain subordinate objects. They enumerate the manifest sections, or
the attributes of the certificate, signature, or manifest section. The
set of object references is determined when the iterator is created.
Subsequent changes to the object from which it is created do not affect
the set, the number of elements, or position in the iterator (this is
not a problem in the embedded version of the library, which cannot
change objects). Of course, many Iterators can be used to traverse the
same set of object references independently.
The "get" function for each iterator object varies with each type of
subordinate object referenced and returned by the function.
The object is recycled after the "get" function indicates that there
are no more subordinate object references to enumerate.
Iterator objects are objects in their own right, but they are
documented with their containing object.
typedef const void *ISL_ITERATOR_PTR
Verified Signature Root Object
A verified signature object is returned as the result of verifying a
signature root. (This differs from the object type returned by the
ISL_VerifySignatureRoot function.)
Valid operations on this object are to create an iterator to return
manifest sections, or search for a specific signed object. The
attributes of the unverified object have been verified, but the object
itself has not been verified.
One can also create an iterator to enumerate the verified attributes of
the signature itself.
typedef const void *ISL_VERIFIED_SIGNATURE_ROOT_PTR
Verified Certificate Chain Object
A verified certificate chain object is returned by functions that
construct and verify a certificate chain. A certificate chain begins
with the trusted signer certificate and ends with the certificate of
the signer found in a signature block. Valid operations on this object
are to return an array of verified certificate objects. This object
can be contained in a Verified Signature Root Object.
typedef const void *ISL_VERIFIED_CERTIFICATE_CHAIN_PTR
Verified Certificate Object
A verified certificate object is returned as a result of requesting the
verified certificates in a certificate chain. Valid operations on this
object include obtaining public key and other attributes stored in the
certificate. A verified certificate object cannot be modified. This
object can be contained in a Verified Certificate Chain Object.
typedef const void *ISL_VERIFIED_CERTIFICATE_PTR
Manifest Section Object
A manifest section object is returned by an iterator that was created
from a verified root signature. For each signed object, there is a
manifest section which describes its attributes and how to retrieve and
verify it.
Valid operations on this object are to verify the signed object, and to
create an iterator which returns attributes of the signed object. Using
the iterator, it is possible to check the attributes of a signed object
prior to verifying the object itself. The manifest section object is
always contained in a Verified Signature Root Object.
typedef const void *ISL_MANIFEST_SECTION_PTR
Verified Module Object
A verified module object is returned as a result of verifying the
credentials for a module. This object is created by either
ISL_VerifyAndLoadModuleAndCredentials,
ISL_VerifyLoadedModuleAndCredentials, ISL_SelfCheck,
ISL_VerifyAndLoadModule, or ISL_VerifyLoadedModule. This object is
always contained in a Verified Signature Root Object.
Valid operations on this object include checking address ranges and
obtaining the Manifest Section Object corresponding to the verified
module. The verified module object cannot be modified in memory, and
libraries must use various techniques to enforce this requirement.
typedef const void *ISL_VERIFIED_MODULE_PTR
EISL Object Relationships and Life Cycle
OBJECT
|
CONTAINING
OBJECT
|
CREATING FUNCTION(S)
|
RECYCLING FUNCTION
|
---|
Verified
Signature
Root*
|
none
|
ISL_Self_Check*,
ISL_VerifyAndLoadModuleAndCredentials*,
ISL_VerifyLoadedModuleAndCredentials*
|
ISL_RecycleModuleAndCredentials*
|
---|
Verified
Signature
Root
|
none
|
ISL_CreateVerifiedSignatureRoot,
ISL_CreateVerifiedSignatureRootWithCertificate
|
ISL_RecycleVerifiedSignatureRoot
|
Manifest
Section
|
Verified
Signature
Root
|
(implicit)
|
(implicit)
|
Verified
Module
|
Manifest
Section
|
(implicit)
|
(implicit)
|
Verified
Certificate
|
none
|
ISL_CreateCertificateChain
|
ISL_RecycleCertificateChain
|
Verified
Certificate
Chain***
|
Verified
Signature
Root
|
(implicit)
|
(implicit)
|
Verified
Certificate
|
Verified
Certificate
Chain
|
(implicit)
|
(implicit)
|
Manifest
Section
Iterator
|
Verified
Signature
Root
|
ISL_CreateManifestSectionEnumerator
|
ISL_RecycleManifestSectionEnumerator **
|
Signature
Attribute
Iterator
|
Verified
Signature
Root
|
ISL_Create Signature AttributeEnumerator
|
ISL_RecycleSignatureAttributeEnumerator **
|
Certificate
Attribute
Iterator
|
Verified
Certificate
|
ISL_CreateCertificateAttributeEnumerator
|
ISL_RecycleCertificateAttributeEnumerator **
|
Manifest
Section
Attribute
Iterator
|
Verified
Signature
Root
|
ISL_CreateManifestSection
|
ISL_RecycleManifestSectionAttribute
|
- *
- A Verified Module object in the API function is used to reference
its containing Verified Signature Root in these "simplified API" calls.
- **
- The iterator is implicitly recycled if its parent object is recycled.
The recycle API call is optional.
- ***
- The object is created and recycled implicitly under the "simplified API"
calls.
Low-Level Data Structures Used in API Functions
ISL_DATA
The ISL_DATA structure is used to associate a length, in bytes, with an
arbitrary block of contiguous memory.
typedef struct ISL_data{
uint32 Length; /* in bytes */
uint8 *Data;
} ISL_DATA, *ISL_DATA_PTR
Definition
- Length
Length of the data buffer in bytes.
- Data
Points to the start of an arbitrary length data buffer.
ISL_CONST_DATA
The ISL_CONST_DATA structure is used to associate a length, in bytes,
with an arbitrary block of contiguous "read-only" memory.
- Note:
- The data referenced by the ISL_CONST_DATA is read-only, but the
ISL_CONST_DATA itself can be modified.
typedef struct ISL_data{
uint32 Length; /* in bytes */
const uint8 *Data;
} ISL_CONST_DATA, *ISL_CONST_DATA_PTR
Definition
- Length
Length of the data buffer in bytes.
- Data
Points to the start of an arbitrary length data buffer.
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy
of this publication.
You should also read the
legal notice explaining the terms and conditions relating to
the CDSA documentation.