HELPLIB.HLB  —  CDSA  CDSA$SIGN.EXE
   Note that this utility is defined as cdsa_sign by CDSA$SYMBOLS.COM.
   The cdsa_sign utility takes a service provider product, application,
   or CSSM binary, plus the manufacturer certificates generated using
   certgen, and creates a manifest file.
   Manifest files have a file extension of .ESW.

   This utility can be used for Integrity signing and for Export
   signing. The options for each function are totally different,
   so they are described here in separate sections. Integrity
   signing for a module must always be done before Export signing.

1  –  Integrity Signing

   Integrity signing is optional for applications and mandatory
   for plug-in modules.

 SYNOPSIS

    cdsa_sign module_name subdirectory type signer_cert password
    cert_chain module_guid access_tag pvcapi_tag pvcspi_tag priv_tag

 OPTIONS

   module_ name
      The name of the module being signed.

   subdirectory
      The subdirectory (in UNIX directory format) containing the
      module being signed.

   type
      The module type, which can be one of the following:

        A - Service provider module
        C - CSSM
        D - Application sharable image
        E - Elective Module Manager
        G - Generic image
        X - Application executable

   signer_cert
      The name of the certificate being used to sign the module.

   password
      The password for the private key of the certificate being used
      to sign the module.

   cert_chain
      A text file identifying the Integrity certificates to be
      embedded. This file has the following form:

        number
        cert1
        cert2
        .
        .
        .

        where number is the number of certificates being embedded,
        and cert1 and cert2 are the names of certificates to be
        embedded; for example:

             2
             introot.cer
             intmanf.cer

   module_guid
      The string version of the globally unique identifier of the
      module being signed (as installed in MDS).

   access_tag
      For installer modules, this is the base-64 encoded, unsigned,
      32-bit value (in big-endian) of the access type defined for
      CDSA_DB_ACCESS_TYPE.  For modules other than installers,
      specify "XX" for this parameter.

   pvcapi_tag
      Specifies whether pointer validation checking is to be done on
      the application program interface boundaries.
      The values for the CDSA_PVC_API tag are as follows:

         "EXEMPT" Specifies an application manifest, where the program
                  can set the PVC flag in cssm_Init.
         "OFF"    Specifies a CSSM manifest, where the PVC flag is
                  not applicable.
         "XX"     Specifies that the CDSA_PVC_API tag is not in the
                  manifest.

   pvcspi_tag
      Specifies whether pointer validation checking is to be done on
      the service provider interface boundaries.
      The values for the CDSA_PVC_SPI tag are as follows:

         "EXEMPT" Specifies a service provider manifest, where the
                  program can set the PVC flag in cssm_Init.
         "OFF"    Specifies a CSSM manifest, where the PVC flag is
                  not applicable.
         "XX"     Specifies that the CDSA_PVC_SPI tag is not in the
                  manifest.

   priv_tag
      The CDSA_PRIV tag in the manifest. Currently, no CDSA_PRIV tag
      values are defined, so specify "XX" to indicate that this tag
      is not in the manifest.

2  –  Integrity Signing Example

   The following is an example of the cdsa_sign command for Integrity
   signing:

      $ define cdsa_sign "/cdsa_tempdir/addin"
      $ set default cdsa_sysdir:[sign]
      $ cdsa_sign stubcsp300_shr cdsa_sign A intmods.cer -
      _$ intmods intchain. {79BDE0F0-4541-11d3-A8F3-0090271D266F} -
      _$ "XX" "EXEMPT" "XX" "XX"

      The first command defines the logical cdsa_sign (which is used
      internally by the code) in UNIX directory format as the
      directory where the executable to be signed can be found.

      * stubcsp300_shr is the name of the module being signed.
      * cdsa_sign is the logical pointing to the directory containing
        the module.
      * A indicates  that stubcsp300_shr is a service provider module.
      * intmods.cer is the name of the certificate being used to sign
        the module.
      * intmods is the password for the private key of the certificate
        (intmods.cer) being used to sign the module.
      * intchain. is the name of the text file containing the names of
        the certificates in the Integrity chain.
      * {79BDE0F0-4541-11d3-A8F3-0090271D266F} is the GUID of the service
        provider module.
      * "XX" is the access tag, which indicates that this is not an
        installer module.
      * "EXEMPT" is the CDSA_PVC_API tag specifying that this is an
        application manifest.
      * "XX" specifies that the CDSA_PVC_SPI tag is not in the manifest.
      * "XX" specifies that the CDSA_PRIV tag is not in the manifest.

3  –  Export Signing

   Export signing is optional. Before you can do Export signing for a
   module, you must already have done Integrity signing and a manifest
   must exist.  For more information about Export signing, refer to the
   Intel CDSA Manifest Signing Tools User's Guide.

 SYNOPSIS

   cdsa_sign manifest_path signer_cert password cert_chain usee_tag
   priv_tag pvcapi_tag pvcspi_tag

 OPTIONS

   manifest_path
      The path (in UNIX directory format) to the manifest created in the
      Integrity signing phase.

   signer_cert
      The name of the certificate being used to sign the module.

   password
      The password for the private key of the certificate being used to
      sign the module.

   cert_chain
      A text file identifying the Export certificates to be embedded.
      This file has the following form:

        number
        cert1
        cert2
        .
        .
        .

        where number is the number of certificates being embedded, and
        cert1 and cert2 are the names of certificates to be embedded;
        for example:

             2
             introot.cer
             intmanf.cer

   usee_tag
      The base-64 encoded value of the CSSM_USEE_TAG value.
      This value must be enclosed within double quotation marks.

   priv_tag
      The CDSA_PRIV tag in the manifest.  Currently, no CDSA_PRIV tag
      values are defined, so specify "XX" to indicate that this tag is
      not in the manifest.

   pvcapi_tag
      The CDSA_PVC_API tag for application and CSSM manifests.
      The values are:

        "EXEMPT" Specifies an application manifest.
        "OFF"    Specifies a CSSM manifest.
        "XX"     Specifies that the CDSA_PVC_API tag is not
                 in the manifest.

   pvcspi_tag
      The CDSA_PVC_SPI tag for application and CSSM manifests.
      The values are:

        "EXEMPT" Specifies an application manifest.
        "OFF"    Specifies a CSSM manifest.
        "XX"     Specifies that the CDSA_PVC_SPI tag is not
                 in the manifest.

4  –  Export Signing Example

   The following is an example of the cdsa_sign command for Export signing:

      $ cdsa_sign /cdsa_tempdir/des2/des2.esw exapps.cer secret exchain. -
      _$ "AAAAAQ==" "XX" "EXEMPT" "XX"

      In this example:

        * /cdsa_tempdir/des2/des2.esw is the path (in UNIX format)
          to the manifest created during Integrity signing.
        * exapps.cer is the name of the certificate being used to sign
          the module.
        * secret is the password for the private key of the certificate
          being used to sign the module.
        * exchain. is the name of the text file identifying the
          Export certificate chain to be embedded in the signature.
        * "AAAAAQ==" is the base-64 encoded value of the
           CDSA_USEE_DOMESTIC tag.
        * "XX" specifies that the CDSA_PRIV tag is not in the manifest.
        * "EXEMPT" is the CDSA_PVC_API tag specifying that this is an
           application manifest.
        * "XX" specifies that the CDSA_PVC_SPI tag is not in the
           manifest.
Close Help