CDSA programming on OpenVMS works much the same as on any
other platform. The following sections indicate differences and
important information.
Compiling a CDSA Program
When you compile your program, you need to add the /INCLUDE=CDSA_SYSDIR:[INCLUDES]
qualifier to your compiler command line. The following command is
taken from the BUILD_DES.COM example in this chapter (see “DES
Encryption/Decryption Example Program”):
Most CDSA applications must link with SYS$SHARE:CDSA$INCSSM300_SHR.EXE.
If the application uses MDS, you might need to include SYS$SHARE:CDSA$MDS300_SHR.EXE
and SYS$SHARE:CDSA$MDS_UTIL_API.OLB as well.
Because CDSA routines are located in shareable libraries,
the use of a link options file is recommended. For details about
using link options files, refer to the OpenVMS Linker
Utility Manual. The CDSA example programs described
in “CDSA Example Programs” provide
examples of using link options files for CDSA applications.
CDSA Integrity
Checking
CDSA provides two types of integrity checking: bilateral authentication
and pointer validation checking.
Bilateral Authentication
Bilateral
authentication checks the integrity of modules as they are dynamically
loaded into the system. A bilateral authentication procedure is
designed for two entities to establish trust in the identity and
integrity of each other. When loading a service provider module
or an elective module manager, CDSA requires that the attaching
module participate in this authentication protocol. Both modules
in the bilateral authentication procedure must have signed credentials
that bind them to the trust hierarchy used by CDSA. These credentials
are stored in the CDSA MDS database during module installation.
Refer to the Intel Common Data Security Architecture
Application Developer's Guide (Chapter 11, Integrity) and
the Intel Common Data Security Architecture Manifest
Signing Tools User's Guide for more detailed explanations
of the bilateral authentication process.
Pointer Validation Checking
Pointer validation
checking (PVC) entails validating addresses under the following
circumstances:
Before calling across the application
interface into CDSA (PVC is optional on OpenVMS in this case.)
Before calling across the CDSA interface to an add-in
module (PVC is required on OpenVMS in this case.)
The Pointer Validation Policy is established using the PvcPolicy
parameter in the CSSM_Init call. The parameter values can be derived
using the constants in the file CSSMTYPE.H in CDSA_SYSDIR:[INCLUDES].
Starting with OpenVMS Alpha Version 7.3-2, the values for the PvcPolicy parameter
that are valid for CDSA are as described in the following table.
Value
Description
2
PVC validation is performed
on service provider modules only. CSSM_PVC_SP is used for PVC validation
on service provider modules.
3
PVC validation is performed on both service
provider and application modules. The bitwise OR of CSSM_PVC_APP
and CSSM_PVC_SP is used for PVC validation on both service provider
and application modules; for example, (CSSM_PVC_APP | CSSM_PVC_SP).
For more information about pointer validation checking, see
the description of the CSSM_Init() API.
