Note that this utility is defined as cdsa_sign by CDSA$SYMBOLS.COM.
The cdsa_sign utility takes a service provider product, application,
or CSSM binary, plus the manufacturer certificates generated using
certgen, and creates a manifest file. Manifest files have a file
extension of .ESW.
This utility can be used for Integrity signing and for Export
signing. Integrity signing creates a new manifest, while Export
signing adds signers to an existing manifest. The options for each
function are totally different, so they are described here in separate
sections. Integrity signing for a module must always be done before Export
signing.
Integrity
Signing
Integrity signing is optional for applications and mandatory
for add-in modules.
The subdirectory (in UNIX
directory format) containing the module being signed.
type
The module type, which can be one of the following:
A
Service provider module
C
CSSM
D
Application sharable image
E
Elective Module Manager
G
Generic file
X
Application executable
signer_cert
The name of the certificate
being used to sign the module.
password
The password for the private
key of the certificate being used to sign the module.
cert_chain
A text file identifying the
certificates to be embedded. This file has the following form:
number cert1 cert2 . . .
where number is the number of certificates being embedded, and cert1 and cert2 are the names of certificates to be embedded; for
example:
2 introot.cer intmanf.cer
module_guid
The string version of the
globally unique identifier of the module being signed (as installed in
MDS).
access_tag
For installer modules, this
is the base-64 encoded, unsigned, 32-bit value (in big-endian) of the
access type defined for CDSA_DB_ACCESS_TYPE. For modules other
than installers, specify "XX" for this parameter.
pvcapi_tag
Specifies whether pointer
validation checking is to be done on the application program interface
boundaries. (Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_API tag are
as follows:
“EXEMPT”
Specifies an application
manifest, where the program can set the PVC flag in cssm_Init().
“OFF”
Specifies a CSSM manifest,
where the PVC flag is not applicable.
“XX”
Specifies that the CDSA_PVC_API
tag is not in the manifest.
pvcspi_tag
Specifies whether pointer
validation checking is to be done on the service provider interface boundaries.
(Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_SPI tag are as
follows:
“EXEMPT”
Specifies a service provider
manifest, where the program can set the PVC flag in cssm_Init().
“OFF”
Specifies a CSSM manifest,
where the PVC flag is not applicable.
“XX”
Specifies that the CDSA_PVC_SPI
tag is not in the manifest.
priv_tag
The CDSA_PRIV tag in the
manifest. No CDSA_PRIV tag values are defined, so specify "XX"
to indicate that this tag is not in the manifest.
EXAMPLE
The following is an example of the cdsa_sign command for Integrity
signing:
The first command defines the logical cdsa_sign (which is
used internally by the code) in UNIX directory format as the directory
where the executable to be signed can be found.
stubcsp300_shr
is the name of the module being signed.
cdsa_sign is the logical
pointing to the directory containing the module.
A indicates that stubcsp300_shr
is a service provider module.
intmods.cer is the name of
the certificate being used to sign the module.
intmods is the password for
the private key of the certificate (intmods.cer) being used to sign
the module.
intchain. is the name of
the text file containing the names of the certificates in the certificate
chain.
{79BDE0F0-4541-11d3-A8F3-0090271D266F}
is the GUID of the service provider module.
"XX" is the access tag, which
indicates that this is not an installer module.
"EXEMPT" is the CDSA_PVC_API
tag specifying that this is an application manifest.
"XX" specifies that the CDSA_PVC_SPI
tag is not in the manifest.
"XX" specifies that the CDSA_PRIV
tag is not in the manifest.
Export
Signing
Export signing is optional. Before you can do Export signing
for a module, you must already have done Integrity signing and a
manifest must exist. For more information about Export signing,
refer to the Intel Common Data Security Architecture
Manifest Signing Tools User’s Guide.
The path (in UNIX directory
format) to the manifest created in the Integrity signing phase.
signer_cert
The name of the certificate
being used to sign the module.
password
The password for the private
key of the certificate being used to sign the module.
cert_chain
A text file identifying the
certificates to be embedded. This file has the following form:
number cert1 cert2 . . .
where number is the number of certificates being embedded, and cert1 and cert2 are the names of certificates to be embedded; for
example:
2 introot.cer intmanf.cer
usee_tag
The base-64 encoded value
of the CSSM_USEE_TAG value. This value must be enclosed within double
quotation marks.
priv_tag
The CDSA_PRIV tag in the
manifest. No CDSA_PRIV tag values are defined, so specify "XX"
to indicate that this tag is not in the manifest.
pvcapi_tag
Specifies whether pointer
validation checking is to be done on the application program interface
boundaries. (Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_API tag are
as follows:
“EXEMPT”
Specifies an application
manifest, where the program can set the PVC flag in cssm_Init.
“OFF”
Specifies a CSSM manifest,
where the PVC flag is not applicable.
“XX”
Specifies that the CDSA_PVC_API
tag is not in the manifest.
pvcspi_tag
Specifies whether pointer
validation checking is to be done on the service provider interface boundaries.
(Read more about PVC in “Pointer Validation Checking”.) The values for the CDSA_PVC_SPI tag are as
follows:
“EXEMPT”
Specifies a service provider
manifest, where the program can set the PVC flag in cssm_Init.
“OFF”
Specifies a CSSM manifest,
where the PVC flag is not applicable.
“XX”
Specifies that the CDSA_PVC_SPI
tag is not in the manifest.
EXAMPLE
The following is an example of the cdsa_sign command for Export
signing:
