csp id user's guide - information security corporation
TRANSCRIPT
CSPid
User’s Guide
Version 3.0.1
Simplifying the Management of Cryptographic Credentials and
Enabling Role-based PKI in the Enterprise
Mar 1, 2013
CSPid User’s Guide
2
Information in this document is subject to change without notice and does not represent a commitment on the part of
Information Security Corporation. The software described in this document is furnished under a license agreement
or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the
agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording, for any purpose other than the purchaser’s personal use without
the prior written permission of Information Security Corp.
CSPid software is commercial computer software and, together with any related documentation, is subject to the
restrictions on U.S. Government use as set forth below.
RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at
DFARS 52.227-7013. “Contractor/manufacturer” is Information Security Corporation, 1011 Lake Street, Suite 425,
Oak Park, IL 60301.
The U.S. International Traffic in Arms Regulations (ITARs) (22 CFR 125.03) prohibits the dissemination of certain
types of technical data to foreign nationals.
Protected by U.S. Patents No. 5,274,707, 5,373,560, and 5,699,431.
CSPid is a registered trademark of Information Security Corp. Other product and company names mentioned in this
document may be the trademarks of their respective owners.
The cryptographic functionality of CSPid is provided by CDK 7.0, ISC’s FIPS 140-2 Level 1compliant crypto-
graphic module. In addition, CSPid uses the following open source software packages redistributable under the terms
of the LGPL or other licenses:
FLTK, Version 1.1.7: Copyright© 1998-2005 Bill Spitzak and others.
CSPid is based in part on the work of the FLTK project (http://www.fltk.org). http://www.fltk.org/
PCSC, Version 1.01: Copyright© 2001 Dmitry Basko.
See the readme.txt file located in the pcsc subfolder of the installation for complete license information.
http://www.bds.dogma.net/pc_sc.htm
pugixml, version 1.2: Copyright© 2006-2012Arseny Kapoulkine.
See the pugixml.txt file located in the installation folder for complete license information.
http://www.pugixml.org
CSPid 3.0.1 User’s Guide, First Edition (Feb 2013)
©2007-13 Information Security Corp. All rights reserved.
Information Security Corporation
1011 Lake Street, Suite 425
Oak Park, IL 60301
Phone: +1 847 405-0500
Fax: +1 708 445-9705
Website: http://www.infoseccorp.com
E-mail: [email protected]
CSPid User’s Guide
3
Table of Contents
1. Introduction ........................................................................................................................ 8
1.1. Overview ......................................................................................................................... 8
1.2. CSPid Architecture .......................................................................................................... 8
1.3. CSPid Events ................................................................................................................ 10
1.4. CSPid DAS Support ...................................................................................................... 11
1.4.1. Notes ..................................................................................................................... 12
2. Installation ........................................................................................................................ 13
2.1. Overview ....................................................................................................................... 13
2.2. System Requirements .................................................................................................. 14
2.3. Windows ....................................................................................................................... 15
2.4. UNIX ............................................................................................................................. 16
3. Configuration .................................................................................................................... 17
3.1. Using CSPid with a Web Browser ................................................................................. 17
3.1.1. CAPI-based Browsers ........................................................................................... 17
3.1.2. Netscape-based Browsers .................................................................................... 17
3.2. Enrollment with a Web Browser ................................................................................... 17
3.2.1. CAPI-based Browsers ........................................................................................... 17
3.2.2. Netscape-based Browsers .................................................................................... 17
3.2.3. Other ..................................................................................................................... 17
3.3. Using CSPid with Java Applications .............................................................................. 18
3.4. Using CSPid with Apache Tomcat ................................................................................. 19
3.5. The CSPid Configuration File ........................................................................................ 19
3.5.1. Windows ................................................................................................................ 19
3.5.2. UNIX ...................................................................................................................... 19
3.5.3. CSPid Events .......................................................................................................... 20
3.5.4. Controlling Certificate Visibility .............................................................................. 21
3.5.5. Updating the Configuration File ............................................................................. 21
3.5.6. Password Reset Agents ........................................................................................ 23
3.5.7. Configuration Options ............................................................................................ 23
4. Using CSPid ....................................................................................................................... 37
4.1. The CSPid Management Tool ........................................................................................ 37
CSPid User’s Guide
4
4.1.1. Two Views of the Key Store .................................................................................. 38
4.1.2. Importing Credentials ............................................................................................ 39
4.1.3. Exporting Credentials ............................................................................................ 40
4.1.4. Deleting Credentials .............................................................................................. 40
4.1.5. Changing Your Password ...................................................................................... 41
4.1.6. Initiating Password Reset ..................................................................................... 42
4.1.7. Handling a User’s Password Reset Request (PRA only) ...................................... 43
4.1.8. Completing Password Reset ................................................................................. 43
4.1.9. Viewing Client Applications ................................................................................... 43
4.1.10. Registering With Applications ................................................................................ 44
4.1.11. Renewing Your Certificates ................................................................................... 44
4.1.12. The About Dialog ................................................................................................... 45
4.1.13. Terminating the Management Tool ....................................................................... 45
4.1.14. The Management Tool Command Line ................................................................. 45
4.2. The CSPid Command Line Tools .................................................................................. 48
4.2.1. cspid_cli ................................................................................................................. 48
4.2.2. cspid_ln (Windows Only) ....................................................................................... 53
4.3. The CSPid Audit Trail .................................................................................................... 55
4.3.1. Windows ................................................................................................................ 55
4.3.2. UNIX ...................................................................................................................... 55
5. CSPid Password and Key Management .......................................................................... 56
5.1. Password Management ................................................................................................ 56
5.1.1. Password History .................................................................................................. 56
5.1.2. Forced Password Change ..................................................................................... 56
5.1.3. Administrative Password Reset ............................................................................. 56
5.1.4. Password Timeout ................................................................................................. 57
5.1.5. Password Caching ................................................................................................ 57
5.2. Key Management ......................................................................................................... 58
5.2.1. Encrypted Memory ................................................................................................ 58
5.2.1.1. Encrypted Memory on Windows 2000 and Windows XP ...................................... 59
5.2.1.2. Encrypted Memory on Windows Vista and Windows 7 ......................................... 60
5.2.1.3. Encrypted Memory on UNIX-based Systems ........................................................ 60
5.2.2. Password Timeout Implementation Details ........................................................... 60
5.2.3. Key Management in the CSPid Management Tool ................................................ 61
6. CSPid Libraries .................................................................................................................. 62
6.1. The PKCS #11 Library .................................................................................................. 62
6.2. The Microsoft Windows Library .................................................................................... 62
7. Quality Assurance Issues ............................................................................................... 63
7.1. Testing Methodology .................................................................................................... 63
7.2. Known Issues ............................................................................................................... 64
CSPid User’s Guide
5
7.2.1. Windows ................................................................................................................ 64
7.2.2. Netscape 4.x or higher w/o PSM ........................................................................... 64
7.2.3. Netscape 4.75 or higher w/PSM 1.4 ...................................................................... 64
7.2.4. Internet Explorer .................................................................................................... 64
7.2.5. Microsoft Outlook .................................................................................................. 64
8. Net-Centric Applications ................................................................................................. 65
8.1. Role-Based Authentication ........................................................................................... 65
8.2. Role-Based Encryption ................................................................................................. 66
8.3. Confidentiality within a Community of Interest .............................................................. 66
8.4. Expanded Storage and Enhanced Security for Private Keys ....................................... 67
8.5. Brokered Authentication - “Need-to-Know” Control Over Sensitive Resources............ 68
9. References ........................................................................................................................ 70
10. Appendix A: Default Configuration File ......................................................................... 72
11. Appendix B: Supported PKCS #11 Mechanisms .......................................................... 83
12. Appendix C: The PKCS #15 Key Storage Format ......................................................... 84
12.1. PKCS #15 ................................................................................................................. 84
12.2. Object Syntax ............................................................................................................ 84
12.3. Confidentiality ........................................................................................................... 84
12.4. Integrity ..................................................................................................................... 85
12.5. Initialization ............................................................................................................... 85
13. Appendix D: A Sample PKCS #15 Key Store ................................................................. 86
CSPid User’s Guide
6
List of Figures
Figure 1: CSPid 3.0 Architecture Diagram ..................................................................................... 9
Figure 2: Modifying the java.security File ............................................................................ 18
Figure 3: Modifying Your Java Code ........................................................................................... 18
Figure 4: Modifying Java SSL/TLS Properties ............................................................................ 18
Figure 5: Modifying the Tomcat server.xml File ..................................................................... 19
Figure 6: The CSPid System Tray Menu ..................................................................................... 37
Figure 7: The CSPid Manager’s Main Window (Standard View) ................................................. 38
Figure 8: The CSPid Manager’s Main Window (Advanced View) ................................................ 38
Figure 9: Importing a File ............................................................................................................ 39
Figure 10: Exporting a File .......................................................................................................... 40
Figure 11: Confirming Certificate Deletion .................................................................................. 40
Figure 12: Confirming Private Key Deletion ................................................................................ 41
Figure 13: Changing Your CSPid Password ................................................................................ 41
Figure 14: Viewing Registered Applications ............................................................................... 44
Figure 15: Viewing the About Dialog ........................................................................................... 45
Figure 16: The cspid_cli Interface ............................................................................................... 49
Figure 17: The cspid_ln Interface ............................................................................................... 54
Figure 18: Watch Officers Sign Messages with Shared Role Key on DAS Server ..................... 65
Figure 19: Commander Decrypts Documents Using Role Key on DAS Server .......................... 66
Figure 20: CoI Members Decrypt Documents Using CoI Key on DAS Server ............................ 67
Figure 21: Officer Retains Access to His Entire Key History ...................................................... 68
Figure 22: A DAS Server Used to Impose Strong "Need-to-Know" Controls over Sensitive Resources ................................................................................................................................... 68
Figure 23: A Sample CSPid Configuration File with Default Settings .......................................... 81
CSPid User’s Guide
7
List of Tables
Table 1: CSPid Events ................................................................................................................. 11
Table 2: System Requirements ................................................................................................... 14
Table 3: CSP Options ................................................................................................................. 25
Table 4: Log Options ................................................................................................................... 26
Table 5: Password Options ......................................................................................................... 30
Table 6: Netscape/Mozilla Options ............................................................................................. 31
Table 7: Import/Export Options ................................................................................................... 32
Table 8: Event Handling Options ................................................................................................ 34
Table 9: DAS Options ................................................................................................................. 35
Table 10: Configuration File Update Options .............................................................................. 36
Table 11: Management Tool Command Line Options ................................................................ 47
Table 12: cspid_cli Options ......................................................................................................... 53
Table 13: cspid_ln Options ......................................................................................................... 55
Table 14: Test Configurations ..................................................................................................... 63
CSPid User’s Guide
8
1. Introduction
1.1. Overview
Abstract: This document describes a platform-agnostic software product that acts as a universal key
store as well as a cryptographic service provider. Accessed via Microsoft CAPI, or via its industry
standard PKCS #11 interface, CSPid ensures that authorized security-enabled applications have instant
access to the user’s latest certificates and private keys without the need to synchronize or replicate
credentials among those applications. Using platform-independent PKCS #15 key stores, CSPid simplifies
the migration of credentials between workstations with different operating systems. After presenting a
technical overview of the product, this document covers the installation, administration, and use of CSPid.
This document describes a software package that manages a user’s X.509 credentials, securely protecting
them while making them available upon demand (with appropriate authentication) to any security-enabled
application, and allowing them to be easily migrated between workstations in an operating system-
independent manner.
CSPid is a virtual smartcard that maintains a central repository for private keys and X.509 certificates on
behalf of its owner. It provides a secure environment for cryptographic operations that applications can
access via Java, PKCS #11, or Microsoft CAPI.
The CSPid system:
1. provides a single OS-independent credential store that may be shared by all security-enabled
applications on the user’s system
2. provides superior protection for private keys and overcomes password change/reset issues with
Windows, Internet Explorer, and Mozilla
3. simplifies enterprise-wide credential management: users need not replicate keys among
applications, and may effortlessly migrate credentials between workstations
4. provides administrative control over security policy settings and can be augmented to support key
escrow, key recovery, and/or password reset functions
5. provides event hooking enabling the execution of external programs based on events
6. reduces help desk costs and PKI training requirements
A major step forward in credential management, CSPid’s programming interfaces allows administrators to
build custom, nearly user-transparent PKI enrollment, key rollover, credential backup, and other
management tools that dramatically simplify the PKI experience for an organization’s end-users.
1.2. CSPid Architecture
The CSPid
system consists of four components:
a credential store: an encrypted file stored by the system on a local fixed disk, on removable
media, or on a remote network drive
a PKCS #11 library providing access to the credential store and certain private key operations
CSPid User’s Guide
9
a smart card minidriver that is used by the Microsoft Windows Base Smart Card Cryptographic
Service Provider (CSP) to provide access to the integrated PKCS #11 library to Microsoft
CryptoAPI-enabled applications (such as Internet Explorer, Microsoft Outlook, and Microsoft
Outlook Express)
a set of tools that permit the end-user to easily configure and maintain the CSPid system
AdministratorEnd-User
PKCS#11-Enabled Application
(Netscape, Notes, Mozilla Firefox/Thunderbird,
SecretAgent, SpyProof!, any Java application, etc.)
CAPI/CNG-Enabled
Windows Application
(Microsoft Outlook, Internet Explorer,
EFS, SecretAgent, etc.)
CSPid
Virtual Smartcard
CAPI/CNG
one configurable PKCS#15 key store per user
(future extensibility)
local or network-attached, file-based key store
remote HTTPS-based key store
(future enhancement)
CSPid
Manager
(command line and
graphical interfaces)
Base CSP
Smart Card
Minidriver
PKCS #11 Library
CSPid
Events
(handlers for
enrollment,
renewal,
program
registry,
certificate
retrieval, etc.)
DAS Comm.
Module
PKCS #15 Key Store
ManagerISC CDK 7.0
Key Stores
DAS servers to support
role-based operations
Smart Card Authentication
(optional)
signature server
decryption server
Figure 1: CSPid
3.0 Architecture Diagram
As illustrated in the above diagram, a PKCS #11 library (based on ISC’s FIPS-validated CDK 7.0), a
PKCS #15 key store manager, a smart card minidriver, and the CSPid management tools represent the core
components of the CSPid system. These tools and the provided APIs allow users to manage their key
stores and easily integrate CSPid into existing applications. As of version 2.0, the DAS communication
module allows CSPid to provide all applications (including Outlook and Thunderbird S/MIME) high-
assurance "role-based" signature and decryption operations that rely on remote private keys, possibly
stored on an HSM (requires DAS 1.8 or above).
CSPid User’s Guide
10
1.3. CSPid Events
CSPid exposes a portion of its programmable “event model interface” through its configuration file. This
interface, fully described in Chapter 3, allows an administrator to manage an end-user’s system and
credentials by means of custom scripts that are automatically executed in response to certain trigger
events. Among the events for which such custom “handlers” can be installed are:
initial PKI enrollment or key import
certificate renewal/key rollover
certificate import
manual selection of the “Register with Applications” command
manual selection of the “Renew My Certificates” command
manual selection of the “Reset Password” command
Event Name Triggers Configuration Options
Start up The CSPid Manager starts and the user
successfully authenticates.
The CSPid Manager will execute these commands allowing
the import/removal of DAS or issuer certificates or other
operations that need to occur daily.
Enrollment The CSPid Manager starts and no
credentials are found.
CSPid provides three choices for handling this event:
transfer credentials from the CAPI “personal”
store
run one or more commands
open a URL
The options are tried in the order listed above. If there are
still no private key objects present after running the option
the next option is attempted. If there are still no private key
objects present after running all the options the Renewal
event is run.
Renewal The CSPid Manager starts and all of the
existing signing credentials, or all of the
existing encrypting credentials, will be
invalid within a specified number of
days.
The user selects the Renew My
Certificates menu command.
cspid_ui.exe --renew is executed.
Enrollment fails to create a private key
object.
CSPid supports a single trigger setting:
lead time prior to expiration
and provides two event handling options:
open a URL
run one or more commands
New Signing
Credential
A signing certificate is imported and a
matching private key is found in CSPid.
CSPid creates necessary entries in the user’s CAPI
“personal” store; if the certificate was imported from a
third-party application, CSPid can run one or more external
commands.
New
Encryption
Credential
An encrypting certificate is imported
and a matching private key is found in
CSPid.
CSPid creates necessary entries in the user’s CAPI
“personal” store; if the certificate is imported from a third-
party application, CSPid can run one or more external
CSPid User’s Guide
11
commands.
New DAS
Signing
Credential
A DAS-enabled signing certificate is
imported and DAS support is enabled.
CSPid creates necessary entries in the user’s CAPI
“personal” store; if the certificate was imported from a
third-party application, CSPid can run one or more external
commands.
New DAS
Encryption
Credential
A DAS-enabled encrypting certificate is
imported and DAS support is enabled.
CSPid creates necessary entries in the user’s CAPI
“personal” store; if the certificate is imported from a third-
party application, CSPid can run one or more external
commands.
Register
with
Applications
The user selects the Register with
Applications menu command.
The user imports a recently issued
PKCS #12 file and
P12IMPORTREGAPPS is non-zero.
cspid_ui.exe --register is executed.
In addition to configuring the CAPI store and Netscape-
based applications, CSPid can run one or more external
commands.
Reset
Password
The user selected the Reset Password
menu command or clicks the Forgot
Password? link in the password dialog.
CSPid provides three choices for handling this event:
e-mail the password reset request file to one or
more administrators using the default mailer
run one or more commands
allow the user to save the file to a location of
their choice
An optional message can be displayed to the user before
any of these occur.
Table 1: CSPid
Events
1.4. CSPid DAS Support
CSPid versions 1.2 and above includes optional DAS support. DAS is a server-side component that
provides role-based capabilities enabling users to either sign for a role or decrypt anything encrypted for a
particular role. When C_Decrypt is called CSPid communicates with a DAS server in order to unwrap the
symmetric key which is then rewrapped for the specific user. CSPid then uses the user’s private key to
unwrap the response from the server. When C_Sign is called CSPid communicates with a DAS server
which performs the signature operation. Support for DAS in CSPid is accomplished by
enabling DAS operations via the configuration file
importing one or more DAS CoI certificates into CSPid
With DAS enabled, CSPid will assert to applications that the private key for each DAS CoI certificate
resides locally and can be used via CSPid. To do this, CSPid creates a temporary private key object for
each DAS CoI certificate when C_Initialize or C_CreateObject is called. Each temporary private key has
a vendor defined attribute enabling CSPid to differentiate real private keys from DAS CoI private keys
when C_Sign or C_Decrypt are called. These objects are not permanent and will disappear if DAS is not
enabled in the configuration file.
CSPid User’s Guide
12
When an application asks CSPid to decrypt or sign using one of these temporary private key objects, CSPid
interacts with a DAS server to perform the operation only if the user is a member of the community. For
decrypt operations membership is checked using the encryption certificate provided to the DAS server.
DAS operations require SSL/TLS client authentication and, for unwrap requests, an encryption certificate
(see the DAS documentation for a complete description of a DAS transaction). CSPid automatically
selects the best certificates for both authentication and rewrap purposes using the notBefore date and, if
specified in the configuration, preferred issuer information. The private keys for the selected
certificates may reside either within CSPid
itself (as software keys) or on a hardware token (e.g.,
CAC) specified in the configuration file. In the latter scenario CSPid
can store only the DAS CoI
certificates and no private keys are required to reside in CSPid
.
Inclusion of DAS support in CSPid allows any application to be DAS enabled including Microsoft
Outlook and Mozilla Thunderbird. This allows users to send S/MIME encrypted and signed e-mail in a
role based fashion rather than a user based fashion. Only members of a particular role will be able to
decrypt the e-mail messages and only members of the role will be able to sign e-mail messages as the
role. Chapter 8 Net-Centric Applications provides more information on this capability and its uses.
1.4.1. Notes
If a DAS server reports that a user is not a member of the group, the COI certificate is removed
from CSPid and the user is told to try the operation again.
CSPid automatically picks the certificate for DAS authentication and group membership for the
user. This can be controlled using the configuration file options: DAS_SIGN_ISSUER_ID,
DAS_ENC_ISSUER_ID, DAS_ENC_LABEL_ID, DAS_SIGN_LABEL_ID
Specific events related to the import of DAS COI certificates are available that mimic the events
that are associated with the import of actual credentials. These options are:
NEWDASSIGNCERTCMD, NEWDASENCCERTCMD
CSPid User’s Guide
13
2. Installation
2.1. Overview
CSPid is available on a variety of platforms and the installation process is platform-dependent. The
following files are typically installed:
the CSPid management tool (cspid_ui.exe or cspid_ui) and, if available, its translation files
(*.qm)
the CSPid command line tool (cspid_cli.exe or cspid_cli)
the CSPid PKCS #11 Library (cspid.dll or libcspid.so)
the modutil component of the Mozilla NSS toolset (nss3.9)
a CSPid configuration file (cspid.cfg) – optional
the CSPid User’s Guide (cspid.pdf) – optional
On Windows systems the following additional items are installed:
the Microsoft Smart Card Base Cryptographic Service Provider (if not already installed)
the CSPid Smart Card Minidriver (cspid.dll)
the CSPid Virtual Smart Card Reader Driver (cspidrdr.sys)
shortcuts in the Windows Start Menu for viewing this User’s Guide and starting the CSPid
management tool
a Java PKCS #11 configuration file (java_pkcs11.cfg)
the CSPid Lotus Notes command line configuration tool (cspid_ln.exe)
a Firefox and Thunderbird add-on that enables them to use CSPid
When run within a Citrix or remote desktop environment CAPI/CNG applications (Outlook, Internet
Explorer, etc.) may fail to function properly unless the CSPid smartcard reader device driver is installed on
the end point device (i.e. the client device) and, in the Citrix case, smartcard forwarding is enabled. Please
refer to the Citrix documentation. A special, driver only, package is available for installation on end
points. Alternatively, the Citrix smart card hook may be disabled. Please see the Using CSPid within a
Citrix VDI Environment for details.
CSPid User’s Guide
14
2.2. System Requirements
The following table lists the minimum version numbers for several of the most common applications that
one might wish to use with CSPid:
Supported Browsers
Internet Explorer 4 or higher
Netscape 4.75 or higher
Mozilla 1.0 or higher
Firefox 1.0 or higher
Java Java 1.5 and higher w/PKCS #11 support (see Java PKCS #11)
Operating Systems
Windows XP SP 1 or higher
Windows Server 2003 (x86 & x64)
Windows Server 2008 (x86 & x64)
Windows Vista (x86 & x64)
Windows 7 (x86 & x64)
Windows 8 (x86 & x64)
Solaris 8 or higher for SPARC
RedHat Enterprise Linux 4 or higher for x86
Table 2: System Requirements
CSPid User’s Guide
15
2.3. Windows
CSPid for Windows is distributed as standard MSI installation package that provides a wizard for
individual installation as well as supporting automated installation mechanisms. This setup program first
installs the core CSPid components; it will then install the translation files, configuration file, and user’s
guide if they are present in the same folder as the MSI file. The following MSI command line parameters
are available (options may be combined):
Option Values Notes
CONFIGFILELOC <path to cspid.cfg> To specify the location of the
configuration file to install
execute:
msiexec.exe /I cspid.msi
CONFIGFILELOC=<path to cspid.cfg>
ASSOCP12 0 (no)
1 (yes)
To have the installation associate
.p12 and .pfx files with the CSPid
Manager execute:
msiexec.exe /I cspid.msi
ASSOCP12=1
NOCSPIDMGR 0 (no)
1 (auto-start disabled)
2 (1 + no shortcuts)
To prevent the CSPid Manager from
automatically starting when the
user logs into Windows:
msiexec.exe /I cspid.msi
NOCSPIDMGR=1
Setting NOCSPIDMGR=2 will
additionally prevent the user’s
guide and CSPid Manager short cuts
from being created.
NOVCRT 0 (no)
1 (yes)
To prevent the installation of the
Visual C++ Runtime Libraries
(which sometimes conflict with
existing installed versions)
execute:
msiexec.exe /I cspid.msi NOVCRT=1
To further customize CSPid, open the cspid.cfg file in an editor prior to installation, and modify the
options settings as desired. (See section 3.5 for more information.) Be sure to save the modified
configuration file into the same folder as the cspid.msi file. Then install the CSPid system by executing
cspid.msi and following the prompts.
After installation on a Windows system, the CSPid management tool (see section 4.1) will automatically
start up and run in the system tray each time the user logs in unless NOCSPIDMGR is used. The first time
the tool is executed it will ask the user to set the CSPid password if necessary (unless AUTO_INIT=0 is
specified in the configuration file).
CSPid User’s Guide
16
2.4. UNIX
CSPid for UNIX is distributed as a single compressed tar ball (cspid.x.y.z.os.processor.tar.gz) that
must be decompressed and untar’d. The resulting cspid folder contains an INSTALL file that provides
platform-specific installation tips. Typically all that is required is to move the cspid folder to /opt/cspid
and to edit the cspid.cfg file.
To customize the way CSPid behaves, modify the options settings in cspid.cfg as desired. (See section
3.5 for more information.) libcspid.so and all associated utilities read their program configuration data
from cspid.cfg location in one of the following folders (in the order listed): /etc, /usr/etc,
/opt/cspid or the folder specified in the CSPidInstDir environment variable, if one is set. If the file is
located in /etc or /usr/etc it is considered secure allowing password reset and other sensitive settings to
be enabled.
After installation, all users should execute the following command to register CSPid with Netscape-based
PKCS #11 applications on their system:
/opt/cspid/cspid_cli –r
Alternatively users can use the included Firefox and Thunderbird extension (cspid.xpi) to add CSPid
support.
In the event that the Renew My Certificates feature (see section 4.1.11) is not functioning, users may need
to set a BROWSER environment variable that points to the web browser to use for enrollment.
Ideally /opt/cspid/cspid_ui will be configured to automatically start when each user logs into their
desktop.
CSPid User’s Guide
17
3. Configuration
3.1. Using CSPid with a Web Browser
3.1.1. CAPI-based Browsers
When CSPid is installed, the certificates in its key store are copied into the appropriate CAPI stores (and
linked to the private keys stored in CSPid) and are therefore available to any Microsoft CryptoAPI-based
application (such as Internet Explorer and Outlook). Users will be prompted to enter a smart card PIN
(their CSPid password) once per application instance.
3.1.2. Netscape-based Browsers
CSPid must be registered with Netscape-based programs before it can be used by them. On Windows, a
Firefox and Thunderbird compatible Add-on is installed on Windows that automatically performs the
required task. On UNIX, users may use the CSPid management tool’s Registering with Applications
command (see section 4.1.10; or use the appropriate CSPid Command Line option as described in section
4.2) to configure newly created Netscape-based profiles.
To manually register CSPid with a Netscape-based product, just add cspid.dll or libcspid.so to its list
of supported PKCS #11 tokens by opening the product’s Preferences dialog and modifying the “Security
Devices” or “Advanced” properties.
Once CSPid has been registered, ISC CSPid should appear in its list of available cryptographic tokens and
users will be prompted for the ISC CSPid password as needed.
3.2. Enrollment with a Web Browser
3.2.1. CAPI-based Browsers
To ensure that CSPid generates and stores users’ private keys during PKI enrollment, users should
explicitly tell the enrollment application to use the Microsoft Base Smart Card Crypto Provider as its
cryptographic service provider (CSP). When Internet Explorer, for example, is configured in this way and
used for PKI enrollment, it will use CSPid to generate and store private keys and to construct certificate
requests. Alternatively, the certificate authority may be capable of controlling the CSP that is used and
could be configured to only use the Microsoft Base Smart Card Crypto Provider.
3.2.2. Netscape-based Browsers
To ensure that CSPid generates and stores users’ private keys during PKI enrollment, users must select
ISC CSPid as the cryptographic token to use when prompted by the browser.
3.2.3. Other
If scripting enrollment, administrators may use CSPid’s command line utility (cspid_cli) to generate
suitable certificate requests. The cspid_cli includes a --gen-p10 command that will create a PKCS#10
CSPid User’s Guide
18
certificate request whose private key resides in CSPid. The request is suitable for uploading to a CA using
the --post option to submit the request or using any other means to submit the request. The issued
certificate may be picked up by the user using either Internet Explorer, Firefox, or simply by importing
the issued certificate into CSPid.
3.3. Using CSPid with Java Applications
On Windows, recent versions of Java include support for Microsoft CAPI as a keystore. On such systems,
Java, like other CAPI-based applications, requires no additional configuration to work with CSPid.
Otherwise, some manual configuration of a system is required to use CSPid with Java applications.1 Since
complete instructions are available from Sun2, only an outline of the required procedures is provided in
this section.
To make CSPid available to all Java programs on a system, add a line to the java.security file that
references the Java PKCS #11 configuration file, java_pkcs11.cfg, placed in the CSPid folder during
installation. A sample is provided below:
security.provider.7=sun.security.pkcs11.SunPKCS11 c:/Program Files/CSPid/java_pkcs11.cfg
Figure 2: Modifying the java.security File
To make CSPid available to a Java program programmatically, insert the following lines:
String configName = "C:/Program Files/CSPid/java_pkcs11.cfg";
Provider p = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(p);
KeyStore ks = KeyStore.getInstance("PKCS11");
// PIN is the CSPid login password.
ks.load(null, PIN.toCharArray());
Figure 3: Modifying Your Java Code
To use CSPid for client authentication in SSL/TLS connections in existing programs, users may have to
set the following system properties with the –D option. See Java SSL/TLS for more information.
javax.net.ssl.keyStoreType=PKCS11
javax.net.ssl.keyStorePassword=<password>
javax.net.ssl.keyStore=NONE
javax.net.ssl.keyStoreProvider=SunPKCS11-CSPid
Figure 4: Modifying Java SSL/TLS Properties
1 Java 2 version 1.5 or above is required for native PKCS #11 support through the JDK; earlier versions of Java might be able to access CSPid on
certain platforms, but this use is not supported by ISC.
2 See http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
CSPid User’s Guide
19
A sample Java program, cspid.java, that illustrates how CSPid may be used programmatically from
within Java code is included in the installation.
3.4. Using CSPid with Apache Tomcat
To use CSPid as the TLS key container for Apache Tomcat, the java.security file must be modified as
indicated in Figure 2 above, and the server.xml file located in
<Tomcat Home>/conf/server.xml must be changed so that it looks roughly as follows:
<Connector port="443" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS11" keystorePass="PASSWORD" />
Figure 5: Modifying the Tomcat server.xml File
With these settings CSPid will be used as the server’s keystore and trust keystore.
If TLS client authentication is enabled by setting clientAuth=“true” in the server.xml file, only client
certificates subordinate to a root certificate stored in CSPid will be accepted.
3.5. The CSPid Configuration File
CSPid
‘s operating characteristics can be controlled by modifying the cspid.cfg file before or after
installation. If no cspid.cfg file is found, CSPid will operate with its default internal settings reproduced
in Appendix A: Default Configuration File.
Starting with version 3.0.0 the cspid.cfg file can be created using ISC’s central policy management tool.
This tool allows you to create both the initial policy and update policies to be placed on a server and
downloaded by CSPid as described later in this document.
3.5.1. Windows
On Windows, the active configuration file is the one cspid.dll finds in its own folder upon startup. If
the configuration file loaded resides in the installation folder (as found in the registry) it is considered
secure enabling the use of sensitive options like password recovery agents.
On Windows systems, CSPid expands the JAVA_HOME and CSPID_HOME environment variables with
appropriate values when they are used in configuration file event handlers (REGAPPSCMD,
ENROLLCMD, etc.).
3.5.2. UNIX
On UNIX, libcspid.so searches the following directories, in order, for cspid.cfg: /etc, /usr/etc,
/opt/cspid, the directory specified by the CSPidInstDir environment variable. Searching these system
directories should ensure that only a configuration file installed by an administrator is used. Configuration
CSPid User’s Guide
20
files in /etc and /usr/etc are considered secure enabling the use of sensitive options like password
reset agents.
3.5.3. CSPid
Events
Before delving into the details of CSPid Events (see Table 8: Event Handling Options), consider for a
moment the following reasonable scenario: suppose that an administrator wants to facilitate PKI
enrollment and application configuration for end users by performing the following, fairly typical, tasks:
1. have a user who has no existing credentials obtain a signing certificate from the enterprise CA
using his default web browser,
2. use the signing certificate just obtained to download via client-authenticated SSL a PKCS#12
PDU containing (a possibly escrowed) encryption key,
3. import the PKCS#12 PDU into CSPid and then delete it,
4. publish the user’s new credentials to the Exchange Global Address List (GAL), and
5. configure Microsoft Outlook to use the new credentials for S/MIME.
Employing CSPid event handlers (along with cmu, ISC’s Credential Management Utility), an administrator
can accomplish these five steps by:
i. adding the following line to the cspid.cfg configuration file to cause each occurrence of an
Enrollment event (an event triggered by the user starting CSPid with no credentials in their active
key store) to be handled by opening the specified webpage in the user’s default browser:
ENROLLURL=http://ca1.yourorganization.com/enroll
ii. adding the following five lines to the cspid.cfg to handle occurrences of the New Signing
Credential event:
NEWSIGCERTCMD= “C:\CMU\cmu.exe” d “%TEMP%\temp.p12”
NEWSIGCERTCMD= “C:\Program Files\CSPid\cspid_ui.exe” -i -f "%TEMP%\temp.p12"
NEWSIGCERTCMD= del “%TEMP%\temp.p12”
NEWSIGCERTCMD= “C:\CMU\cmu.exe” p
NEWSIGCERTCMD= “C:\CMU\cmu.exe” m
This handler, whose execution is triggered by the retrieval of a new signing certificate (possibly caused
by the completion of the enrollment process handled in step i), invokes cmu several times to download the
user’s escrowed encrypting PKCS #12 file, install it into their key store, publish the new credentials to
GAL, and configure their default MAPI provider.
CSPid User’s Guide
21
3.5.4. Controlling Certificate Visibility
By default, all certificates stored within CSPid are visible to all applications. However, it is possible to
hide certain certificates from certain applications if this is desired or required for security reasons. CSPid
accomplishes this by allowing an application blacklist (or whitelist) to be specified on a per-certificate
basis in the CSPid key store. Certificate black-/whitelists can be set either during certificate import using
the cspid_cli program, or edited at a later time using the CSPid Manager. These lists may consist of
actual application names or admin-defined tags that refer to applications specified in the configuration
file. (The tag method is preferred as it enables the lists to be changed without modifying the CSPid key
store.) The special tag value CAPI represents the Microsoft Windows CAPI store and all applications that
use it.
For example, to prevent Firefox and Thunderbird from using a particular certificate, set its blacklist to
some admin-defined tag, say MOZILLA, and add a corresponding BL-prefixed tag specifying the comma-
delimited list of proscribed applications to the configuration file:
BLMOZILLA=firefox.exe,thunderbird.exe
Similarly, to allow only CAPI-enabled applications to see a particular certificate, set its whitelist to an
admin-defined tag, say CAPIONLY, and add a corresponding WL-prefixed tag specifying CAPI to the
configuration file:
WLCAPIONLY=CAPI
Filtering can also be performed based on the CSPid library name in those situations in which application
names are not unique (as is typically the case for Java-based applications). In these situations, a copy of
cspid.dll can be made with a new name, an application is configured to use the newly-named library,
and this new library name is used in a whitelist or blacklist.
3.5.5. Updating the Configuration File
As described above, an initial configuration file is usually installed on each system on which the CSPid
software is installed. To facilitate the subsequent modification of configuration file settings, CSPid
supports the following web-based update mechanism: an updated configuration file is placed on a web
server (IIS, Apache, etc.) configured with SSL server authentication. When CSPid connects to the server it
checks the validity of the server’s certificate and, if it is valid, CSPid attempts to retrieve an updated
configuration file to use in place of the initial configuration file. Updates may be performed manually
using the cspid_cli tool or set to run periodically using the CSPid Manager. The Windows Task
Scheduler (or UNIX cron command) can also be used to run cspid_cli on a scheduled basis.
By default, the CSPid Manager checks for updated files only when it starts, so if a user never logs out
updates will not occur. To get around this and check for updates on a regular basis, use the
CFGUPDATEPERIOD setting.
Updates are cached locally in an encrypted file in the folder specified by the CFGUPDATELOCALSTORE
setting. The local cache is used if it is valid and will completely override all settings enabling
administrators to update the password reset agents, trust anchors and all other options from a central
location.
When an update occurs, CSPid uses DN information – first the user’s, if allowed and determinable, then
the CFGUPDATEDN value in the base configuration file – to locate update files on the server. The DN is
CSPid User’s Guide
22
converted to lowercase and successively truncated of leading RDNs until either an update is found or the
DN is empty. For example, if the configuration file contains:
CFGUPDATEURL=https://www.infoseccorp.com/isc_policies
CFGUPDATEDN=OU=Sales, O=ISC, C=US
CSPid would check the following locations:
https://www.infoseccorp.com/isc_policies/ou=sales/o=isc/c=us/cspid_win.cfg
https://www.infoseccorp.com/isc_policies/o=isc/c=us/cspid_win.cfg
https://www.infoseccorp.com/isc_policies/c=us/cspid_win.cfg
NOTE: UNIX configuration update files are named cspid_unix.cfg. Windows configuration
update files are named cspid_win.cfg.
If the configuration file enables the use of the user’s DN for updates (CFGUPDATEUSEUSERDN=1) then CSPid
will attempt to determine the user’s DN (by locating the most recently issued certificate with a private key
in CSPid itself using the DAS configuration options for AKI, Issuer DN, and Label, or, failing that,
finding the most recently issued certificate with a private key in a configured PKCS #11 device with the
same algorithm). The first update always uses the configuration file’s DN because the software doesn’t
know the user’s DN at that point.
If an invalid configuration file is downloaded or if the local cache is corrupt, it will be ignored and the
installed configuration file will be used. Updates and the ancillary information are stored in the location
specified by CFGUPDATELOCALSTORE. This is usually located in a subfolder of the path containing the
PKCS #15 PDU (%APPDATA%\CSPid\policies on Windows or $HOME/.cspid/policies on UNIX), but
can be independently specified. Deleting the items in this folder will cause CSPid to revert to the installed
initial configuration file and reset the update process.
This mechanism enables administrators to create policies at the organization, group, or individual level.
3.5.5.1. Creating a machine configuration file enabling updates
The following items must be present in the machine configuration file in order to enable the use of
updated configuration files:
CFGUPDATEURL
CFGUPDATEDN
CFGUPDATEPERIOD
CFGUPDATETRUSTMODEL
The CFGUPDATETRUSTMODEL value indicates how the client should trust the web server holding updated
configuration files. Setting it to 0 will use Microsoft Windows’ built in certificate validation routines and
trust anchors and is recommended. For UNIX systems or to restrict the list of trusted certificates you can
set the trust model to 1 or 2. Setting this value to 1 requires that a base64-encoded X.509 trust anchor be
specified in the CFGUPDATETRUSTANCHOR option. Only server certificates whose certificate path ends with
CSPid User’s Guide
23
this certificate will be trusted for configuration updates. Setting the value to 2 requires that a subject DN
be specified in the CFGUPDATETRUSTDN option. Only server certificates whose certificate path ends in a
certificate whose issuer DN matches this value will be trusted for configuration updates.
3.5.5.2. Creating an updated configuration file
An administrator should begin with the current configuration file so that the update information above
remains the same. They can then modify the file as necessary and save it. The updated file must be named
properly (either cspid_win.cfg or cspid_unix.cfg) and placed in the correct location on the update
server based on the DN for which the configuration file applies.
An experimental central administration client from ISC may be available to help create and maintain
these files. Please contact ISC for up to date information and instructions.
3.5.5.3. Running a manual update
A user can initiate an update by using the cspid_cli --cfg-update command. This will force the
application to attempt to download and use an updated configuration file.
3.5.6. Password Reset Agents
Password reset agents are specified in the configuration file by setting RSTPWAGENTS to a properly
formatted base64-encoded PKCS#7 PDU. A properly formatted base64-encoded PKCS#7 PDU, in this
case means one whose lines do not exceed 100 characters. When specifying this file as RSTPWAGENTS
you must precede each line with an equal sign. The command line option “p7tob64” will output a
properly formatted string given PKCS #7 input file. To update the agents you must update the
configuration file as described in Updating the Configuration File.
3.5.7. Configuration Options
Configuration options are detailed in the following tables:
CSPid User’s Guide
24
Option Values Notes
P15URL The path and filename
to use for the PKCS
#15 PDU.
On Windows use UNC paths (not
mapped network drive letters)
to specify the location of the
PDU.
USE_OLD_CHANGE_NOTIFY_METHOD
(Windows Only)
Set to 1 to use the
original method for
detecting changes in
the PDU file on
Windows.
Versions 2.1 and above use
Windows folder change
notifications to detect changes
to the PDU file. This improves
performance and reduces network
traffic. If set to 1 CSPid will
load the PDU and compare to its
cached copy.
AUTO_INIT 0 (no)
1 (yes)
If set 0 and the PDU has not
been created the system tray
application will run in reduced
functionality mode. If set to 1
and the PDU has not been
created the system tray
application will prompt the
user to create a password and
initialize the PDU.
VIRTUALIZE_GP_ISSUERS
(Windows Only)
0 (no)
1 (yes)
If set to 1, all issuer
certificates found in the
Windows Group Policy
certificate stores will be made
visible in CSPid. This enables
Netscape-based applications to
use these certificates while
not actually storing copies of
them in the PDU.
READONLY 0 (no)
1 (yes)
If set to 1, only cspid_cli.exe
and cspid_ui.exe (the CSPid
system tray application) will
be allowed to modify the key
store.
ENFORCE_CKA_EXTRACTABLE 0 (no)
1 (yes)
If set to 1, keys created or
imported with CKA_EXPORTABLE
set to FALSE cannot be
exported. Note, older versions
of CSPid marked all imported
keys as CKA_EXPORTABLE=FALSE so
setting this value to 1 may
severely impact existing
deployments.
ECCDHSS_EXTRACTABLE 0 (no)
1 (yes)
If set to 1, the resulting
value of an ECDH computation
can be exported (extracted)
from the CSPid PKCS#11 library.
In most cases this value should
be 0.
BL<TAG> A semi-colon delimited
list of programs that
cannot see
certificates marked
with TAG. The special
value CAPI prevents
When certificates are imported
or generated with the cspid_cli
program the --scope-blacklist
option can be used to tag the
certificate with a text value.
The tag value is prepended with
CSPid User’s Guide
25
the certificate from
being available to
CAPI. If the program
exe is not readily
available, you can
configure the program
to use a differently
named version of the
cspid library
(orap11.dll for
example) and blacklist
the library name.
BL and the list of banned
applications is determined by
the configuration file. Any
application that appears in the
blacklist will not be aware
that the certificate is
installed.
BLNOTES=nlnotes.exe
WL<TAG> A semi-colon delimited
list of executable or
library names that can
see the certificate
(programs not on the
list cannot see the
certificate). The
special value CAPI
allows the certificate
to be visible to any
CAPI-based
application. If the
program exe is not
readily available, you
can configure the
program to use a
differently named
version of the cspid
library (orap11.dll
for example) and
blacklist the library
name.
When certificates are imported
or generated with the cspid_cli
program the --scope-whitelist
option can be used to tag the
certificate with a text value.
The tag value is prepended with
WL and the list of allowed
applications is determined by
the configuration file. Only
applications that appear in the
whitelist can see certificates
marked in this way.
WLCAPIONLY=CAPI
WLNOTES=nlnotes.exe
Table 3: CSP Options
CSPid User’s Guide
26
Option Values Notes
LOGLEVEL 0 (critical information)
1 (information)
2 (debug)
Critical information is always
logged to the system log in
addition to any specified log
file. Debug and information log
entries are only logged to the log
file if specified.
LOGFILE The path and filename to use for
the log file.
None.
LOGFILEDAILY 0 (no)
1 (yes)
If set to 1 the LOGFILE name will
be prepended with the day it was
created. This will reduce the size
of the log files.
APPLOGFILE The path and filename to use for
the “registered” applications
list.
Every application that calls or
causes to be called the
C_Initialize() function in
cspid.dll or libcspid.so is stored
in this file and displayed when
the user selects “Show Registered
Applications”.
Table 4: Log Options
Option Values Notes
PWREQNUM 0 (no)
1 (yes)
If set to 1, user created
passwords must contain at
least one number: 0-9.
PWREQALPHA 0 (no)
1 (yes)
If set to 1, user created
passwords must contain at
least one alphabetic
character: a-z or A-Z.
PWREQMIXEDCASE 0 (no)
1 (yes)
If set to 1, user created
passwords must contain both
lower and upper case
characters.
PWREQPUNC 0 (no)
1 (yes)
If set to 1, user created
passwords must contain at
least one punctuation mark:
.,?!;:'".
PWREQSPEC 0 (no)
1 (yes)
If set to 1, user created
passwords must contain at
least one special character:
@#$%^&*()+=-_/><\|[]{}`~
PWAVOID One or more characters. Specify a list of characters
that may not appear in
passwords.
PWMINLEN The minimum length of user
created passwords.
None.
CSPid User’s Guide
27
PWCACHE 0 (no)
1 (per session)
2 (permanently,
Windows Only)
If set to 1, the user will be
prompted for the CSPid
password the first time it is
required in the login
session. The password will be
stored (encrypted) in the
CSPid.ini file until the CSPid
Manager (system tray
application) exits. If set to
2, the user will be prompted
for the CSPid password once
and it will be cached in the
Windows Registry permanently.
PWCACHE_CLEAR_ON_BAD_PIN 0 (no)
>1 (yes, after this
many failed attempts)
This value represents the
threshold of incorrect
password entry attempts after
which the cached password
will be cleared. This value
applies only if PWCACHE is
enabled and this value is set
to 1 (the default) or
greater. If this value is set
to 0 the cached password will
not be cleared and the user
can reattempt the login using
a blank password which will
cause CSPid to use the cached
password.
PWPROMPT_AT_STARTUP 0 (no)
1 (yes)
If set to 1, the system tray
application will prompt the
user for the CSPid password
when it starts.
PWWINPROMPT (Windows
Only, Optional)
The string to use to locate
the Windows Smart Card PIN
prompt dialog.
For Windows XP: "Smart card
PIN"
For Windows Vista/7: "Windows
Security"
Used in conjunction with
PWCACHE to inject the CSPid
PIN into the Windows password
dialog. The software
determines a suitable default
at runtime, so this is only
needed if Microsoft updates
the PIN prompt dialog.
PWCHANGE The number of days between
required user password
changes.
None.
PWHISTORY The number of unique
passwords required before
the user can re-use a
password.
None.
CSPid User’s Guide
28
PWTIMEOUT -1 (never)
nonzero (seconds)
If set to -1, password
timeout is disabled. If set
to a positive value the
library will require the user
to enter their password if
the library has been inactive
for the number of seconds
indicated. The minimum value
is 2 seconds.
RSTPWAGENTS A properly formatted base64-
encoded PKCS #7 PDU
containing one or more
password reset agent
certificates.
The command line option
“p7tob64” will output a
properly formatted string
given PKCS #7 input file.
A properly formatted base64-
encoded PKCS#7 PDU, in this
case means one whose lines do
not exceed 100 characters.
When specifying this file as
RSTPWAGENTS you must precede
each line with an equal sign.
This option is only used if
the configuration file is
considered secure – see
sections 3.5.1 and 3.5.2.
RSTPWMINLEN The minimum length of the
reset password.
This value is the number of
random bytes to use for the
reset password. The value the
user must type in will be 1/3
longer than this value. Any
values less than 8 will be
ignored.
RSTPW_MECHANISM 0 (e-mail)
1 (RSTPW_CMD)
2 (save as)
Specifies what to do when the
user chooses to reset their
password.
If set to 0, the user’s e-
mail client will be used to
send an e-mail to the
password reset agents with
the reset password file as an
attachment.
If set to 1, the commands in
the RSTPW_CMD parameters will
be executed.
If set to 2, the user is
asked to save the reset
password file to a folder of
their choice.
RSTPW_MESSAGE A text string When specified this string
will be displayed in a
message box prior to
performing the password reset
mechanism
CSPid User’s Guide
29
RSTPW_CMD One or more commands to
execute when the reset
password event occurs.
To specify multiple commands,
include multiple RSTPW_CMD=
lines in the configuration
file. If %1 appears in the
command it will be replaced
with the path and filename of
the password reset file prior
to execution.
RSTPW_PROMPT_RESET 0 (no)
1 (yes)
If set to 1, the user will be
prompted with a dialog to
change their password at the
end of the reset password
process. They will need to
provide the reset password
and a new password.
PW2ENABLED 0 (no)
1 (yes)
If set to 1 the PW2MASK item
will be used to determine
whether or not a password
meets the requirements and
PWREQNUM, PWREQALPHA,
PWREQMIXEDCASE, PWREQPUNC,
and PWREQSPEC will be
ignored.
CSPid User’s Guide
30
PW2MASK A | delimited string of
character classes
representing allowable
passwords.
The string is made up of
ULNPS sequences separated by
the | symbol. Each letter
represents a character class
that must (not) be in the
password. The | symbol
represents is used to create
multiple acceptable
sequences.
U - upper case
character required
L - lower case
character required
N - numeric character
required
P – punctuation
required
S - special character
required
u – upper case
character forbidden
l – lower case
character forbidden
n – numeric character
forbidden
p – punctuation
forbidden
s – special character
forbidden
For example:
ULN|ULP|UPS|Npuls would
accept any of the following
passwords
- mixed case with a
number (Ab3)
- mixed case with
punctuation (Ab!)
- upper case with
punctuation and a
special character
(A!@)
- only numbers
PW2REQCLASSCHG 0 (disabled)
nonzero (characters)
Specifies the maximum number
of consecutive characters
from a single character class
that is allowed. For example,
if set to 4 a password
containing ABCD would be
acceptable, but one
containing ABCDE would be
rejected.
Table 5: Password Options
CSPid User’s Guide
31
Option Values Notes
NSSEARCHPATH One or more semi-colon delimited
paths that should be searched
for Netscape-based profiles in
addition to CSPid’s default
paths.
A common addition for Netscape 4.x
users is:
%ProgramFiles%\Netscape
NSCREATETRUST 0 (no)
1 (yes)
If set to 1, ephemeral
CKO_NETSCAPE_TRUST objects are
created and made accessible to
applications using CSPid’s PKCS #11
interface. These objects tell the
calling application to trust the
certificates in CSPid.
Table 6: Netscape/Mozilla Options
Option Values Notes
CAIMPORT 0 (never)
1 (prompt user for
trust)
2 (always)
If set to 0, CSPid will not
store certificates for which
it does not store a matching
private key.
If set to 1, CSPid will store
certificates without private
keys, but it will prompt the
user for permission to import
(and thus trust) root
certificates.
If set to 2, as if set to 1,
but on UNIX the user will not
be asked to trust root
certificates.
P12EXPORT 0 (no)
1 (yes)
If set to 1, users will be
allowed to export their
credentials as PKCS #12 files.
P12EXPORTREQUIRESNEWPIN 0 (no)
1 (yes)
If set to 1, users must supply
a password other than their
CSPid password as when prompted
to create a password to
protect exported private keys.
P12IMPORTCA 0 (no)
1 (yes)
If set to 1, CSPid will attempt
to import any issuer
certificates it finds when
importing PKCS #12 files
adhering to the CAIMPORT
setting. When set to 1, CSPid
will attempt to include issuer
certificates when exporting
PKCS #12 files.
P12IMPORTREGAPPS 0 (disabled)
max hours since
Causes the CSPid
UI to trigger
the register with applications
event when a user imports a
CSPid User’s Guide
32
issuance PKCS #12 file via the CSPid UI
command line (cspid_ui.exe) if
the certificate was issued
within the number of hours
specified.
P12CLIIMPDELONMATCH Keyword When present the CSPid UI will
examine the path and filename
of PKCS#12 files imported via
its command line and, if the
keyword is present, delete the
file after import. This is
typically used to delete
PKCS#12 files “opened” from
within the user’s web browser
by setting the value to Temp
(Firefox) or Temporary
(Internet Explorer).
IGNORE_ISSUERS_IN_GP 0 (no)
1 (yes)
If set to 1 issuer
certificates will be installed
in the user’s certificate
stores even if they are
present in an installed group
policy. If set to 0 issuer
certificates are already in
group policy will not be
installed in the user’s
certificate store.
Table 7: Import/Export Options
CSPid User’s Guide
33
Option Values Notes
STARTUPCMD One or more commands to
execute when the CSPid Manager
application starts.
None.
ENROLLURL The URL to open when the
enrollment event occurs.
This option is ignored if
ENROLLCMD or ENROLLCAPI is set.
ENROLLURL_MESSAGE Text to display to the user in
a message box in place of the
default text notifying the
user that a browser will open
to start enrollment.
Leave blank to use the default
text.
ENROLLCMD One or more commands to
execute when the enrollment
event occurs.
To specify multiple commands,
include multiple ENROLLCMD=
lines in the configuration file.
This option is ignored if
ENROLLCAPI is specified.
ENROLLCAPI 0 (disabled)
1 (enabled)
If set to 1, the CSPid Manager
will move credentials from the
CAPI “personal” store to CSPid.3
ENROLLCAPI_MESSAGE Text to display to the user in
a message box in place of the
default text notifying the
user that they may be prompted
for their password when moving
their credentials from CAPI.
Leave blank to use the default
text.
NEWSIGCERTCMD One or more commands to
execute when new signing
certificate event occurs.
To specify multiple commands,
include multiple NEWSIGCERTCMD=
lines in the configuration file.
NEWENCCERTCMD One or more commands to
execute when a new encryption
certificate event occurs.
To specify multiple commands,
include multiple NEWENCCERTCMD=
lines in the configuration file.
DASNEWSIGCERTCMD One or more commands to
execute when new DAS-enabled
signing certificate event
occurs.
To specify multiple commands,
include multiple
DASNEWSIGCERTCMD= lines in the
configuration file.
DASNEWENCCERTCMD One or more commands to
execute when a new DAS-enabled
encryption certificate event
occurs.
To specify multiple commands,
include multiple
DASNEWENCCERTCMD= lines in the
configuration file.
RENEWURL A URL to open with the default
web browser when the renewal
This option is ignored if
RENEWCMD is specified. If set,
3 Credentials that cannot be exported (they are stored in a smart card or are marked non-exportable) will not be moved. Credentials are moved by
exporting the private key, importing it into CSPid and then deleting it from the current Microsoft CAPI provider. The current Microsoft EFS
credential, however, will be copied to CSPid. EFS in Windows 2000 and XP only works with credentials stored in Microsoft CSPs. On Windows
Vista, EFS can work with smart card credentials, but it independently caches the CSP of the private key. For these reasons, CSPid does not modify
the EFS certificate in CAPI’s personal store.
CSPid User’s Guide
34
event occurs. the Renew My Certificates item
appears in the CSPid Manager.
RENEWURL_MESSAGE Text to display to the user in
a message box in place of the
default text notifying the
user that a browser will open
to start enrollment.
Leave blank to use the default
text. This text is not displayed
if the user initiates the action
from the CSPid Manager.
RENEWCMD One or more commands to
execute when the renewal event
occurs.
To specify multiple commands,
include multiple RENEWCMD= lines
in the configuration file. If
set, the Renew My Certificates
item appears in the CSPid
Manager.
RENEWDAYS The number of days before
certificate expiration that
should be considered when
deciding whether the renewal
event should occur.
None.
REGAPPSCMD One or more additional
commands to execute when the
user invokes Register with
Applications.
To specify multiple commands,
include multiple REGAPPSCMD=
lines in the configuration file.
ALLCERTSISSUERS
(Windows Only)
Indicates how register with
applications should treat
certificates without matching
private keys.
0 (follow RFC 5280)
1 (treat as issuers)
If set to 0, certificates
without matching private keys
will be treated as issuer
certificates only if they
contain a basic constraints
extension asserting the CA flag.
If set to 1, all certificates
without matching private keys
will be treated as issuer
certificates.
Table 8: Event Handling Options
Option Values Notes
DASENABLE 0 (no)
Serial Number (yes)
If set to a CSPid DAS Enablement
serial number, DAS will be
enabled.
DASSERVER One or more DAS rewrap server
URIs. If provided CSP
id will use this
list of DAS servers rather than
expect the full DAS URL to
reside in the CoI certificates.
DASSIGSERVER One or more DAS signing
server URIs. If provided CSP
id will use this
list of DAS servers rather than
expect the full DAS URL to
reside in the CoI certificates.
DASTIMEOUT The number of seconds to wait
for a DAS server to connect. If provided CSP
id will use this
value instead of the default
value.
DASNUMREDIR -1 (no limit) This value controls the number
CSPid User’s Guide
35
0 (no redirection)
>0 (number)
of times that CSPid will append
additional DAS URLs returned by
DAS URL Redirection function.
For example, setting this value
to 1 means that after 1 DAS
server has responded with CoI
Not Found and a list of
alternate DAS URLs that all
future CoI Not Found messages
will not add more URLs.
DAS_SIGN_ISSUER_ID Either an issuer DN or an AKI
value to use when selecting a
signing certificate.
If provided CSPid
will use this
information when choosing
between multiple signing
certificates.
DAS_ENC_ISSUER_ID Either an issuer DN or an AKI
value to use when selecting
an encryption certificate.
If provided CSPid
will use this
information when choosing
between multiple encryption
certificates.
DAS_ENC_LABEL_ID A “keyword” that indicates
that a particular certificate
is “better” for encryption
than other certificates.
If provided CSPid
will use this
information when choosing
between multiple signing
certificates. For CAC it should
be Encryption.
DAS_SIGN_LABEL_ID A “keyword” that indicates
that a particular certificate
is “better” for signing than
other certificates.
If provided CSPid
will use this
information when choosing
between multiple signing
certificates. For CAC is should
be Signature.
EXT_P11_LIB,
EXT_P11_LIB64
The PKCS #11 libraries (32-
bit and 64-bit) to use for
cryptographic operations when
connecting to a DAS server or
signing policy updates.
If provided CSPid
will use the
first available smart card when
authenticating with a DAS server
or decrypting a DAS server’s
response.
EXT_P11_LABEL The label of the token to use
for PKCS #11 operations. If provided CSP
id will find and
use the slot containing a token
with this label. If not present
then it will use the first
available smart card. This
option is most useful when using
a hardware security module with
multiple slots for password
reset operations.
EXT_P11_NAME The name to display to the
user when prompting for the
password to the external
smart card.
If provided CSPid
will display
this name rather than the card’s
label returned from the PKCS #11
library.
Table 9: DAS Options
Option Values Notes
CFGUPDATENAME The name of this configuration
file.
This value is displayed in the
about dialog of the CSPid
Manager for informational
purposes.
CSPid User’s Guide
36
CFGUPDATELOCALSTORE Specifies the file path that
CSPid should use to store
updated configuration files.
This path should be per-user
and must be user-writable. In
addition to updated
configuration files the user’s
DN and the last update time is
stored in this folder.
CFGUPDATEURL A URL specifying the server,
port, and base path in which
updated configuration files
are stored.
Please see the preceding
section for details on the
directory structure expected.
CFGUPDATETIMEOUT The number of seconds to wait
for an update server to
connect.
Please see the preceding
section for details on the
update process and the role
this value plays.
CFGUPDATEDN A distinguished name (DN)
representing this computer or
installation instance.
Please see the preceding
section for details on the
update process and the role
this value plays.
CFGUPDATEUSEUSERDN Determines whether the user’s
own DN or only the computer’s
DN will be used for
downloading updates.
0 (use only
CFGUPDATEDN)
1 (try the user’s DN
first, then fallback to
CFGUPDATEDN)
Please see the preceding
section for details on the
update process and the role
this value plays.
CFGUPDATEPERIOD The number of days that the
CSPid Manager should wait
between attempting updates.
The default is 0 which disables
updates.
CFGUPDATETRUSTMODEL Specifies the method by which
the update server’s
certificate will be validated.
0 (use Windows)
1 (use
CFGUPDATETRUSTANCHOR)
2 (use
CFGUPDATETRUSTDN)
3 (disabled)
Updated configuration files
will only be retrieved from
trusted web servers. Trust is
established in one of 3 ways:
- Windows path validation
routines and trust
anchors
- A single trust anchor
- A single trust anchor DN
The most secure method is a
single trust anchor.
CFGUPDATETRUSTANCHOR Specifies a single, base64-
encoded X.509 trust anchor. If CFGUPDATETRUSTMODEL=1 this
value contains the trust anchor
to which the server certificate
must chain.
CFGUPDATETRUSTDN Specifies the subject DN of
the trust anchor. If CFGUPDATETRUSTDN=1 this
value contains the issuer DN of
the trust anchor.
Table 10: Configuration File Update Options
CSPid User’s Guide
37
4. Using CSPid
CSPid integrates into browsers, e-mail clients, and other system applications in the same manner as a
smart card. Once you enter your password, the private keys in the CSPid key store are immediately
available for use in decryption and/or signing operations in any Microsoft CAPI- or (registered) Netscape-
based application.
NOTE: During browser-based PKI enrollment operations, you (or your certificate authority’s webpage)
must explicitly specify the CSPid token. For Internet Explorer select Microsoft Base Smart Card Crypto
Provider, and for Netscape-based browsers select ISC CSPid. Alternatively, you can use CSPid’s built-in
PKCS#10 certificate request generation (cspid_cli --gen-p10).
4.1. The CSPid Management Tool
The CSPid management tool is a system tray application (on systems that support the system tray concept)
that allows you to perform common management tasks and to view the objects managed by CSPid. It
normally starts automatically each time you log in. (On UNIX this behavior must be configured by an
administrator.)
Figure 6: The CSPid
System Tray Menu
The Manage CSPid menu item opens the CSPid Manager’s main dialog, illustrated below; the remaining
menu items are simply shortcuts to identically named items in the main dialog’s menu bar.
This section explains how to use the CSPid Manager (or equivalent system tray menu items) to view the
certificates and other objects stored by CSPid, and to import into, export from, and delete objects from,
your active key store. The CSPid Manager supports the import and export of PKCS #12 and PKCS #7
PDUs, as well as that of (raw binary ASN.1 DER-encoded) X.509 certificate files.
CSPid User’s Guide
38
Figure 7: The CSPid
Manager’s Main Window (Standard View)
4.1.1. Two Views of the Key Store
The CSPid Manager’s main window initially lists all certificates managed by CSPid; this is the default
“view” of the CSPid key store. When in this view, for example, you can determine if a private key is
associated with a particular certificate by selecting that certificate in the left-hand pane and inspecting its
Private Key property in the right-hand pane.
Selecting Advanced from the View menu causes the main window to switch from showing only
certificates to displaying all objects managed by CSPid. Advanced view allows you to manage individual
certificates, public keys, and private keys.
Figure 8: The CSPid
Manager’s Main Window (Advanced View)
CSPid User’s Guide
39
4.1.2. Importing Credentials
Choosing Import from the CSPid Manager’s File menu opens the following file selection dialog. Change
the type of file to be imported (PKCS #12, PKCS #7, or X.509), if necessary, using the Files of type drop
down list, select one or more files, and click Open. (As usual in such dialogs, several files of the specified
type can be selected by using the control and/or shift keys in conjunction with the left mouse button.)
Figure 9: Importing a File
CSPid User’s Guide
40
4.1.3. Exporting Credentials
Selecting a certificate, then choosing Export from the CSPid Manager’s File menu opens a standard Save
as dialog. Enter a filename for the file to be created, change its type (PKCS #12, PKCS #7, or X.509), if
necessary, using the Save as type drop down list, then click Save.
Figure 10: Exporting a File
4.1.4. Deleting Credentials
Selecting a certificate (or key in Advanced view), and choosing Delete from the CSPid Manager’s Edit
menu starts the process of removing a certificate and any associated keys from the CSPid key store. You
will be prompted to confirm that you really want to delete the selected key or certificate.
Figure 11: Confirming Certificate Deletion
If the certificate being removed has an associated private key (which, in the standard view, will also be
deleted), you will be prompted for confirmation a second time to ensure that you fully understand the
consequences of your decision.
CSPid User’s Guide
41
Figure 12: Confirming Private Key Deletion
If you select an object in Advanced view, and choose Delete from the Edit menu, only the selected object
will be removed from the CSPid key store. (This is different from the behavior of Delete in the standard
view where only certificates are displayed and all associated keys are deleted.)
4.1.5. Changing Your Password
To change the password used to protect private items in your CSPid key store, select Change Password
from the Tools menu (or from the system tray menu).
Figure 13: Changing Your CSPid
Password
The OK button in this dialog will become enabled once you have entered at least one character in all
password fields and the new password satisfies any quality requirements that may be in effect pursuant to
an active security policy. (The status line keeps you apprised of any requirements that remain to be
satisfied.)
NOTE: You will be forced to change your password if a security policy specifying one or more Password
Recovery Agents is installed on your system by an administrator.
CSPid User’s Guide
42
4.1.6. Initiating Password Reset
If you forget your password (and password reset is enabled4), you may request that a PRA assist you in
resetting it. If password reset is enabled on your system, you’ll see a “Forgot Password?” link on CSPid’s
login dialog:
You can also initiate the process using the system tray menu’s Reset Password item. In some
installations an administrator may implement a different reset process. What follows is the standard
password reset process. Please consult your organization’s documentation on password reset if the
following is incorrect.
To begin the password reset process, click item and enter your contact information into the following
form:
Once you click OK, the supplied information will be e-mailed with an attached password reset (.cpr) file
to all designated PRAs using the e-mail addresses in their certificates.
NOTE: The .cpr file contains only a reset password for your system encrypted for each of the PRAs; it
does not contain any of your private keys. One of the PRAs should decrypt this file for you and provide
you with the reset password which can then be used at the CSPid login prompt in place of your forgotten
password.
4 Password reset is enabled by one or more PRA certificates being specified in the active security policy. See Table 5: Password Options for
details.
CSPid User’s Guide
43
4.1.7. Handling a User’s Password Reset Request (PRA only)
When a PRA receives a password reset request via e-mail from an end-user, they should first ascertain
that the user is who they claim to be -- insist on appropriate identification! The reset password dialog will
contain the user name (and, on Windows, the domain name) of the user that was logged in when the
password was set. This information allows an administrator to know which account owns the reset
password. Administrators use the CSPid Manager to open the .cpr attachment (by “opening” the file or by
selecting Open Password Reset File from the Tools->Administration menu). The (case-sensitive) reset
password displayed to the administrator can then be returned to the end-user.
4.1.8. Completing Password Reset
Once you have received a (case-sensitive) reset password from a PRA, you may enter it at the CSPid
Manager login prompt in place of your forgotten password. You will be forced to change your password
to complete the password reset process. Alternatively, you can click the Change Password menu item in
the system tray menu and enter the reset password as the Old Password.
NOTE: When you change your password, a new reset password is also generated and the old reset
password known to, and supplied by, your PRA will no longer be valid.
4.1.9. Viewing Client Applications
Selecting Show Client Applications from the Tools menu (or from the system tray menu) will display a
dialog listing all applications that have accessed the CSPid library since it was installed. Note that
registering with applications will not necessarily make them show up in this list. They will appear only
after the application uses a key stored in CSPid. Starting with version 2.2.5 this option is off by default and
must be enabled using the configuration file.
CSPid User’s Guide
44
Figure 14: Viewing Registered Applications
This dialog provides a quick way of determining which applications have potentially accessed your
private keys without you having to open and search through your system’s event log.
If a Netscape- or other PKCS #11-based application does not appear in this list, it may not be able to use
CSPid until you have invoked the Register with Applications command described next.
4.1.10. Registering With Applications
Selecting Register with Applications from the Tools menu (or the system tray menu) causes CSPid to:
search for Netscape-based profiles along the paths specified in CSPid’s configuration file; CSPid
then registers itself as a PKCS #11 library in each discovered profile using the NSS modutil
program
(Windows only) copy and install all certificates in the CSPid key store into the following
Microsoft CAPI stores: My, addressBook, CA, and Root
Register with Applications is intended to help users easily migrate their credentials to a new system or to
use CSPid on multiple systems (with possibly a network-accessible PKCS #15 PDU as their key store).
Once this command is run, your system will be aware of all your certificates and private keys, as well as
all CA certificates stored by CSPid.
4.1.11. Renewing Your Certificates
If available, choosing Renew My Certificates from the Tools menu (or from the system tray menu) will
initiate the credential renewal process for your organization as specified in the active security policy.
When enabled by an administrator, this command will execute custom scripts that should help simplify
the PKI enrollment/ certificate renewal process for you.
CSPid User’s Guide
45
4.1.12. The About Dialog
Selecting About from the Help menu (or from the system tray menu) opens an informative dialog that,
among other things, refers users to ISC for support and provides the necessary contact information.
Figure 15: Viewing the About Dialog
4.1.13. Terminating the Management Tool
Selecting Exit from the File menu (or from the system tray menu) will terminate the CSPid management
tool. (Closing the tool’s main dialog minimizes it to your system tray, but leaves it running.)
4.1.14. The Management Tool Command Line
The CSPid
management tool has limited command line functionality designed for integration with the
operating system and to provide functionality for command based events (REGAPPSCMD,
ENROLLCMD, RENEWCMD, NEWSIGCERTCMD, etc.).
Switch Command Required Options Notes
-R reset user
pin
-f <file> Opens the administrative
password reset file specified.
-f <file> none none Specifies a filename to open or
import when used with the –R
and –i options.
-i import file -f <file> Imports the specified file
(.p7b, .cer, .der, .p12, .pfx).
If used with --cspid-auth
%CSPID_UI_AUTH%, CSPid will not
prompt the user when importing
root certificates (MS CAPI may
still prompt the user). If –f
is a wild card specification a
recursive search will be
performed to find and install
all matching items. Use --p12-
pass to specify the import
password. Use --showsuccess to
display a message of your
choice on success.
--p12-pass specifies the none Allows the PKCS#12 import
CSPid User’s Guide
46
<password> PKCS #12
import
password with
the –i
command
password to be provided via
script rather than input by the
user. If the password is
incorrect they user will be
prompted to enter the password.
--showsuccess
<message>
specifies a
message to
display upon
successful
import
none Causes the application to
display a dialog containing the
provided message upon
successful import of a file.
--export-all-
keys <folder>
export all
credentials
as PKCS #12
files
--cspid-auth
%CSPID_UI_AUTH%
If PKCS #12 export is allowed,
this command will prompt the
user to create a password to
protect the exported files and
then save all of the user’s
credentials as PKCS #12 files
in the specified location.
--backup-p15
<folder>
create a copy
of the CSPid
PKCS #15 file
--cspid-auth
%CSPID_UI_AUTH%
This command will create a copy
of the user’s PKCS #15 PDU in
the specified location for
backup purposes.
--cspid-auth
%CSPID_UI_AUTH%
none none This option authorizes the user
interface to execute sensitive
commands. When found in the
configuration file the
management tool will replace
%CSPID_UI_AUTH% with a nonce
that is checked when the
command is executed.
--move-capi-
keys
migrate CAPI
credentials
none This command moves any
credentials stored in CAPI/CNG
into CSPid.
-- showmessage <message>
display
message box
none This command displays a dialog
with the message provided and
an OK button. It can be used to
alert the user of an impending
event or the completion of an
event.
-- showmessage-tray <message>
Display
system tray
message or
message box
none This command causes the system
tray icon to display a popup
message. If the system tray
cannot do this it behaves as if
--showmessage were specified.
--prog-display
<0|1>
display or
hide the
progress
status window
--prog-status
<message>
--prog-display 1 will cause a
window to appear and display
the message provided by the –
prog-status option.
--prog-display 0 will hide the
window.
--start-hidden
(UNIX-only)
on systems
without a
system tray
start in the
none This command starts the GUI
without showing the main window
(it will prompt for the
password, run any events, and
CSPid User’s Guide
47
background then disappear into the
background). If the user runs
cspid_ui again the background
instance will display the
manager window. If the user
closes the manager window the
application returns to the
background state. If the user
exits the manager window the
application quits. This
simulates the behavior of the
application on systems with a
system tray.
--min none none If the system tray application
is not running start it.
--renew none none Emulate the user selecting
Renew My Certificates
--register none none Emulate the user selecting
Register with Applications
Table 11: Management Tool Command Line Options
CSPid User’s Guide
48
4.2. The CSPid Command Line Tools
Command line utilities allowing the scripting of certain actions are provided for use by administrators or
others who want to perform certain actions automatically. They are well suited for use by the event
model.
Note: If permanent password caching is enabled (PWCACHE=2) and the password has been cached, the --
chgpin and --export options will accept the user’s Windows login password in the -p options. This allows
the user who has forgotten the CSPid password (because it’s been permanently cached and so rarely used)
to change their password or export their credentials.
4.2.1. cspid_cli
The cspid_cli command line program is the primary administrative utility and provides most of the
available functionality:
CSPid(R) Command Line Interface, Version 3.0.1
(C) 2007-2013 Information Security Corp. All rights reserved.
Usage: cspid_cli {-b | -c | -C | -e | -h | -i | -r | -u} [-f <file>] [-I]
[-p <pwd>] [-P <path>] [-t <pin>] [--pause] [-y]
Functions (specify exactly one):
--admin-pwdr decrypt and display a user's reset password
--cfg-update force an update of the user's configuration file
--check-p10 load contents of -f argument and verify that it is valid
--check-pin check whether the given password is correct or not
--check-new-pin check whether the given password meets the password
requirements or not
-c, --chgpin change the CSPid password
-C, --clear erase all CSPid objects
--clear-orphans erase all public/private keys without certificates
-e, --export export all CSPid objects; if P12EXPORT=1, certificates
with private keys are saved as .p12 files
--gen-p10 dn generate a key pair and output a PKCS#10 certificate
request with the distinguished name <dn>
--gen-jks generate a Java keystore file in the output file
specified by the -f option and password in -t
-h, --help print this usage information, then exit
-i, --import import a PKCS#12, PKCS#7, or ASN.1 DER-encoded file
--initialize erase any existing CSPid key file and create a new one
-b, --p7tob64 base64-encode a PKCS#7 PDU (for RSTPWAGENTS)
--post url HTTP(S) POST contents of -f argument to specified <url>
--query opt query Active Directory for user info spec'd by <opt>
-r, --register install CSPid into Netscape-based applications and
register certificates in CAPI
--resetpin create a password reset request
-u, --uninstall remove CSPid from Netscape-based applications
Options:
--attribute att the attribute name to retrieve from AD with --query 5
--content-type ct specify the content type to use with --post
--debug output some additional information for some operations
--delay-commit commit changes on exit rather than throughout the process
--exportable-no imported private keys can't be exported by the user
--exp-no-issuers with (-e, --gen-jks), do not include issuer certificates
when creating JKS or PKCS#12 files
CSPid User’s Guide
49
--exp-no-privates with (-e, --gen-jks), do not include private keys
when creating JKS or PKCS#12 files
--exp-only-label lab with (-e, --gen-jks), only export items whose CKA_LABEL
value contains lab
-f file
--filename file read (-i, -b) the specified file or save the output
(--gen-p10, --gen-jks, --cfg-sign, --cfg-add-sig) in
the specified file
--gen-key-type type generate a key of type <type> when creating a PKCS#10
PDU (--gen-p10). <type> may be RSA1024, RSA2048,
ECCp256, ECCp384, ECCp521
--graphical-prompts use windowing system to prompt for items, not text
--impersonate app with -e or --gen-jks, use the supplied app name to
filter output
-I
--installonly skip CAPI certificate registration (with -r)
--label lab append lab to the default CKA_LABEL value (with -i)
-t use pin as the new CSPid pin or
--p12pin pin use pin as the PKCS#12/JKS file password
--exp-pin pin use pin as the PKCS#12/JKS file password
--exp-pin-cspid use the CSPid PIN as the PKCS#12/JKS file password
-p pin use pin as the CSPid password
-P path
--path path with -e, export files to path
with -i, import all PKCS#12 (.p12/.pfx) files in path
with -r, append path to NSSEARCHPATH
--pause prompt for a key press before exiting
--post-output file with --post, saves the result in the specified file
--replace with -i, updates attributes of existing entries
as opposed to skipping the item
--scope-whitelist imported credentials visible only to these applications
--scope-blacklist imported credentials not visible to these applications
using whitelist and blacklist matching
-y
--yestoall suppress prompts for object deletion and file overwrite
See accompanying documentation for additional information.
Figure 16: The cspid_cli Interface
In general, commands cannot be combined on the same command line and certain options apply only to
particular commands (see table below). The register and uninstall options access the cspid.cfg file to
determine which paths should be searched or use the default values if no paths are specified in the
configuration file. If the path option is supplied to register or uninstall as a semi-colon delimited list of
directories, those directories are searched in addition to paths specified in the configuration file.
CSPid User’s Guide
50
Command Required Options
Optional Switches Additional Information
admin-pwdr --filename --pause, --graphical-prompts Attempts to decrypt
and display the reset
password for the
password reset file
specified by –-
filename.
cfg-update none --pause, --graphical-prompts Forces the software to
attempt to download a
new digitally signed
configuration file
from the update
server.
check-p10 --filename --pause, --graphical-prompts Parses the PKCS#10
input file, validates
the signature, and
reports whether or not
it is OK.
check-pin none -p, --pause, --graphical-
prompts
Checks to see if the
provided password can
decrypt the user’s
PKCS #15 PDU.
check-new-
pin
-p --pause, --graphical-prompts Checks to see if the
provided password
meets the password
quality requirements.
chgpin none --pause, --graphical-prompts Changes the user’s
CSPid password
interactively from the
command line.
clear none -p, --pause, --yestoall, --
graphical-prompts
Erases all objects
(certificates, public
keys, and private
keys) from the user’s
CSPid store.
clear-
orphans
None -p, --pause, --graphical-
prompts
Erases all public and
private keys for which
no certificate exists.
export --path --p12pin, -p, --pause, --
yestoall, --exp-no-issuers,
--exp-no-privates, --exp-
only-label, --graphical-
prompts, --exp-pin-cspid, --
exp-pin, --impersonate
Exports all objects
from the user’s CSPid
store.
--exp-only-label only
exports items whose
CKA_LABEL contain the
specified value.
If –-exp-pin-cspid or
--exp-no-privates is
specified and password
CSPid User’s Guide
51
caching is enabled,
the user will not be
prompted for the CSPid
password.
gen-p10
<dn>
--gen-key-type -p, --pause, --yestoall, --
exportable-no, --graphical-
prompts, --filename
Generates a key pair
and certificate
request. <dn> is of
the form “CN=Joe User,
OU=Marketing, O=ISC,
C=US”
gen-jks --filename -p, --pause, --yestoall, --
exp-no-issuers, --exp-no-
privates, --exp-only-label,
--graphical-prompts, --exp-
pin-cspid, --exp-pin, --
impersonate
Generates a Java
keystore file
containing the same
data as would have
been exported using --
export. See export for
details.
help none none Displays the
information shown in
the figure above.
import --filename or
--path
--p12pin, -p, --pause, --
label, --delay-commit, --
scope-whitelist, --scope-
blacklist, --replace, --
graphical-prompts
With –-filename,
imports a single
certificate, PKCS#7 or
PKCS#12 file.
Wildcards are
supported for
importing multiple
files.
With –-path, imports
all PKCS#12 files
found in any of the
paths specified (on
Windows multiple paths
can be specified by
separating them with
semi-colons).
The value of the --
label option is
appended to the
CKA_LABEL values
generated by CSPid.
The –-exp-only-label
option can filter
output based on this
value.
With --replace,
existing entries are
updated with new
values (specifically,
new labels and black-
/whitelist values).
initialize none -p, --pause, --graphical-
prompts
Erases the user’s
existing PKCS #15 PDU
and creates a new one
with the provided
password.
CSPid User’s Guide
52
p7tob64 --filename --pause, --graphical-prompts Converts the PKCS#7
file specified by –-
filename into the
format required by the
configuration file for
password reset agents.
post <url> --filename --content-type, --pause, --
graphical-prompts, --post-
output
Uploads the contents
specified in –-
filename to the URL
provided (using either
HTTP or HTTPS). The -–
content-type option is
used to specify the
content-type HTTP
header value when
necessary. The default
value is
application/x-www-
form-urlencoded which
is used for posting
simple forms. When
posting multi-part
forms the content-type
must be specified
along with the
boundary value.
query
<opt>
none --pause, --attribute, --
graphical-prompts
1. (Windows only) query Active
Directory for the
user’s first name,
last name, middle
initial, and user
name. Output a
lowercase string of
the following
format CN=lastname
firstname
middleinitial
username
2. (Windows only) query Windows for
the user’s full
name (lastname,
firstname
middleinitial
username)
3. (Windows only) identical to 1, but
also retrieves and
outputs the user’s
e-mail address.
CN=lastname
firstname
middleinitial
username,
rg
4. (Windows only)
CSPid User’s Guide
53
lists all
attributes of the
current user
(useful for
determining the
attribute name for
option 5)
5. (Windows Only) query Active
directory for the
attribute specified
by the --attribute
option.
register none --installonly, -p, --path, -
-pause, --debug, --
graphical-prompts
With –-installonly,
registers the CSPid
library with Netscape-
based applications.
The CSPid password is
not required.
Without –-installonly,
it registers with
Netscape-based
applications,
Microsoft CAPI/CNG and
runs the Register with
Applications Event.
This option requires
the CSPid password.
resetpin --filename --pause, --graphical-prompts Creates a password
reset file to initiate
password reset.
uninstall none --path, --pause, --
graphical-prompts
(UNIX Only) Removes
the CSPid library
integration from
Netscape-based
applications.
Table 12: cspid_cli Options
4.2.2. cspid_ln (Windows Only)
The cspid_ln utility interfaces with Lotus Notes using the Lotus Notes API and so requires that
nNotes.dll be in the path when run.
CSPid(R) Lotus Notes Tool, Version 3.0.1
(C) 2011-2013 Information Security Corp. All rights reserved.
Usage: cspid_ln.exe <command> <options>
Commands: (specify only one)
--sc-verify test to see if Notes is working properly with CSPid
--sc-install add CSPid information to the notes.ini file
--sc-enable smartcard enable the user's ID
--sc-import transfer CSPid certificates into the user's ID
CSPid User’s Guide
54
Note: the private key remains in CSPid
--check-pass check if the Notes ID password supplied in --pass-notes
is correct for this ID
--import-p12 <file> import a PKCS#12 file into the specified Notes ID
--help display this usage information
Options: (specify zero or more options)
--verbose display extra information about the process
--notes-id <user.id> use the specified file as the user ID
--pass-notes specify the password for the user's ID
--pass-cspid specify the user's CSPid password
--pass-p12 specify the password for the PKCS#12 being imported
=<notes.ini> use the specified notes.ini file
Example: cspid_ln.exe --verbose --sc-enable --pass-notes password
See accompanying documentation for additional information.
Figure 17: The cspid_ln Interface
Command Required Options
Optional Switches Additional Information
sc-verify none =<notes.ini>, --notes-id, --
pass-notes, --pass-cspid, --
verbose
Returns 0 if Lotus
Notes is configured to
use CSPid, non-zero
otherwise along with
an error message.
sc-install none =<notes.ini>, --notes-id, --
pass-notes, --pass-cspid, --
verbose
Adds the CSPid PKCS
#11 library entry to
the user’s notes.ini
file.
sc-enable none =<notes.ini>, --notes-id, --
pass-notes, --pass-cspid, --
verbose
Smartcard enables the
user’s notes.id file
(the same as clicking
Enable Smartcard Login
within Lotus Notes).
sc-import none =<notes.ini>, --notes-id, --
pass-notes, --pass-cspid, --
verbose
Imports the
certificates in CSPid
into Lotus Notes (the
same as selecting
Import Certificates
from Smartcard within
Lotus Notes).
check-pass --pass-notes =<notes.ini>, --notes-id, --
verbose
Returns 0 if the
password supplied in -
-pass-notes is
correct. Non-zero
otherwise.
import-p12 --pass-notes,
--pass-p12
=<notes.ini>, --notes-id, --
verbose
Returns 0 on success,
non-zero on failure.
Error 6408 indicates
an incorrect Lotus
Notes ID password.
5631 indicates either
an incorrect PKCS#12
CSPid User’s Guide
55
file password or that
something is wrong
with the PKCS#12 file.
help none none Displays usage
information
Table 13: cspid_ln Options
4.3. The CSPid Audit Trail
CSPid includes a configurable audit trail facility that supports logging events to a specified text file as well
as to the system event log.
All user actions that modify the key store, export private data, or are related to authentication are written
to the system event log regardless of CSPid audit trail settings. This includes object creation, object
modification, use of the credential export functions in the management tools, password entry, password
failure, and password change.
If debug level logging is enabled and a log file is specified, CSPid will append information to assist in
troubleshooting to the log file location. Logging is configured via the CSPid configuration file; see section
3.5 for more information.
4.3.1. Windows
CSPid
creates entries in its own CSPid section of the Windows Event Log. To view the log, use the Event
Viewer accessory provided by Microsoft.
4.3.2. UNIX
On UNIX, CSPid uses syslog to create entries with an identifier of CSPid in the system event log. You
may need to configure syslog to properly capture and store these messages.
CSPid User’s Guide
56
5. CSPid Password and Key Management
5.1. Password Management
Password change is accomplished using the standard PKCS #11 C_SetPin() call. Users can use the
supplied programs, Netscape-based applications, or other PKCS #11 compliant tools to change their
passwords. It should be noted, however, that once the user changes their password all applications that
currently have the library open will begin receiving CKR_DEVICE_REMOVED errors until restarted.
5.1.1. Password History
The configuration file supports the prevention of password re-use. The administrator can specify the
number of unique passwords a user must use before they can re-use a past password. The password
history is stored by CSPid in the PKCS #15 PDU as a string. The first 8 bytes of the string are the random
salt chosen the first time the password was set. The remaining values are the 20-byte SHA-1 hash values
for each password that the user has used. The string is truncated at each password change to contain only
the last X password hash values where X is the number specified in the configuration file. An iteration
count of 512 is used along with the salt to help ensure that it is not possible to do easy table lookups of
SHA-1 hash to password by attackers.
5.1.2. Forced Password Change
If the configuration file has specified password change requirements based on time (i.e. that users must
change their passwords every X days) the library will enforce this requirement by returning a vendor
defined error code when the C_Initialize() function is called (0x82050112 is returned in this case). In
fact, the C_Initialize() function has succeeded but well behaved applications will detect the error code
and fail. A message box is displayed by the library alerting the user. If the management tool detects this
error it displays the password change dialog to allow the user to easily change their password. For the 10
days preceding a required password change users are asked if they would like to change it when the
management tool starts. The date and time of the last password change is stored in the PKCS #15 PDU.
5.1.3. Administrative Password Reset
When the administrative password reset feature is enabled and the user sets, resets, or changes their
password, CSPid will:
1. generate (in a FIPS 140 compliant manner) a pseudorandom string of at least 8 bytes (see Table
5: Password Options)
2. base64-encode the random string generated in 1 to create a new reset password
3. encrypt as a CMS PDU the reset password under the user password, the reset password itself, and
each PRA certificate, and store the result in the user’s active key store (a PKCS #15 PDU)
4. use the reset password as a “PBE-recipient” key during re-encryption of all private objects
5. use the reset password as a PBE-recipient key when generating an HMAC-based CMS
authentication wrapper for the PKCS #15 PDU
Because of 4, the reset password and user password are on an equal footing with respect to their ability to
unwrap private objects, but unlike the user password, the reset password can be recovered (i.e., decrypted)
CSPid User’s Guide
57
using an administrator private key. (Note that administrators cannot recover the actual user password
which protects the user in case they have used that password for other purposes.)
So that the reset password is recoverable by any PRA as well as available at runtime to encrypt new or
changed private objects, it is stored in the PKCS #15 PDU encrypted under itself, the user password, and
all PRA certificates. When the user logs in with either their own password or the reset password provided
by a PRA, the system can, in either case, easily recover the reset password and determine which of the
two passwords was entered. If the user entered the reset password, they are forced to change their
password (thereby generating a new reset password unknown to any PRA).
5.1.4. Password Timeout
When the password timeout feature is enabled CSPid will require the user to reenter their password after
the specified period of inactivity has passed. The method used to cause the calling application to prompt
for the password varies depending on how the calling application accesses the library:
Via Microsoft Windows CAPI/CNG the library’s CardAuthenticatePin function will return
SCARD_W_WRONG_CHV when the KEK is encrypted. This causes the Microsoft Base
Smartcard Provider to prompt the user for their password.
Via PKCS #11, the information returned from the library’s C_GetSessionInfo function will
indicate a state of CKS_RW_PUBLIC_SESSION which tells applications that the card is in the
logged out state when timeout has occurred. The calling application can then call C_Login to
authenticate to the library. If the calling application fails to call C_Login the library will prompt
the user for their password if a sensitive value is required.
If an application attempts an operation that requires the KEK but fails to test and re-authenticate
to the library the library itself will display a password prompt. This is the method that the CSPid
Management Tool uses.
NOTE: When used with a web browser, the server’s SSL/TLS server side timeout value may be greater
than the CSPid timeout value in which case no prompting will occur because the server does not require
the user to authenticate again. Sensitive web sites should have a timeout value that is less than or equal to
the timeout value set in CSPid.
5.1.5. Password Caching
On Windows, CSPid supports per-session and permanent password caching. UNIX-based systems support
only per-session password caching. Both work using the same mechanism. On Windows, the cached
password is encrypted using CryptProtectData and stored in the cspid.ini file and in the CSPid P15
PDU. On UNIX-based systems, an AES key is derived from the user’s login ID and used to encrypt the
password. If per-session caching is enabled, this value is deleted when the CSPid system tray application
exits and is only created if the CSPid system tray application is active. If permanent caching is enabled,
this entry is never deleted. In essence, this method ensures that only applications run within the user’s
own credential space can obtain the password. The MSDN documentation on CryptProtectData provides
excellent details and should be consulted if more information is required.
When password caching is enabled, some password prompts will still appear on Windows XP. Notably,
the password prompt generated by CAPI-based applications will still display. CSPid will automatically
CSPid User’s Guide
58
enter a token string (not the user’s password) into that dialog and click OK for the user when the dialog
appears and is the foreground window.
If permanent password caching is enabled and the user wants or is required to change their CSPid
password they may enter their current Windows password in place of the current CSPid password in the
password change dialog. Similarly, users may enter their current Windows password in place of the
current CSPid password when exporting private keys. In both cases the Windows login password is
confirmed and if correct the cached password is retrieved and used.
5.2. Key Management
CSPid stores certificates, public keys, private keys, and PKCS #11 data objects (CKO_DATA). Following
PKCS #11 specifications, objects that are marked CKA_PRIVATE, TRUE have strong restrictions on which
of their attributes are exposed and which can be changed. Similarly, objects marked CKA_EXTRACTABLE,
FALSE cannot be extracted from the token. Finally, certain object attributes can be changed in only one
direction. For example, the attribute CKA_SENSITIVE can be changed from FALSE to TRUE, but not from
TRUE to FALSE.
NOTE: The correct handling of such restrictions by CSPid might result in unexpected behavior. For
example, since most applications generate keys with CKA_EXTRACTABLE set to FALSE, users may not be
able to export such private keys from the device using a PKCS #11-enabled application.
However, for backup and recovery purposes, users can extract their private keys from the CSPid system
using the integrated management tools; both a graphical user interface and a command line program are
supplied. (These tools do not use standard PKCS #11 API calls but operate directly on the active key store
as a PKCS #15 PDU.)
Private objects are stored in the active key store as encrypted objects. When in memory, all data is stored
in ISC CDK strings or Key objects, both of which meet the FIPS 140-1/2 level 1 requirements for in-
memory storage of keying material. When C_Login is called successfully the encrypted objects in the
PKCS #15 PDU are decrypted into encrypted memory. Memory related to specific objects is decrypted
temporarily when required to perform operations.
5.2.1. Encrypted Memory
When a user logs into CSPid all sensitive objects in the PKCS #15 PDU are decrypted and then stored in
an object in memory. Prior to version 2.1 this information was stored in memory in plaintext. Beginning
with version 2.1, the in memory storage object encrypts sensitive items.
For RSA private keys the following PKCS #11 values are encrypted while in memory: CKA_PRIVATE_EXPONENT
CKA_PRIME_1
CKA_PRIME_2
CKA_EXPONENT_1
CKA_EXPONENT_2
CKA_COEFFICIENT
For ECC private key objects the following values are encrypted while in memory:
CSPid User’s Guide
59
CKA_VALUE
For secret key objects (resulting from ECDH computations for example) the following values are
encrypted while in memory: CKA_VALUE
For data objects that are marked private (resulting from Lotus Notes storing the user’s password) the
following values are encrypted while in memory: CKA_APPLICATION
CKA_OBJECT_ID
CKA_VALUE
Other sensitive information that is encrypted while in memory: All copies of the PKCS #15 PDU password
All copies of the (optional) password reset password
Temporary values computed when calling C_Decrypt with a NULL buffer in order to
obtain the size of the result.
The encryption scheme varies by platform as discussed below, but always uses a 32-byte key encryption
key (KEK) generated at random and stored in memory that cannot be written to the Windows page file,
UNIX swap partitions or accessed by other processes. The KEK is generated using the getrand3() method
in ISC’s FIPS-validated CDK 7 after which getrand3() is called again to transition the PRNG’s state to
ensure that the KEK does not remain in the PRNG’s memory space.
5.2.1.1. Encrypted Memory on Windows 2000 and Windows XP
On Windows 2000 and Windows XP, CSPid uses CryptProtectData and CryptUnprotectData functions to
encrypt sensitive information in memory. The KEK is stored in memory allocated with VirtualAlloc,
marked with VirtualLock (to prevent paging), and protected with VirtualProtect (to prevent access by
other programs). The KEK is passed into the CryptProtectData and CryptUnprotectData data functions
via the optional entropy parameter in order to protect against other processes obtaining the encrypted
memory and using CryptUnprotectData.
Using this scheme the PKCS #15 PDU passwords and sensitive keying material are protected against the
following:
1. Other programs running on the system cannot access the process’ memory and decrypt the in
memory information because the KEK is protected and is inaccessible to other applications.
2. Someone in possession of the Windows hibernation file cannot decrypt the in memory
information because when Windows hibernates or sleeps it clears information required by the
CryptUnprotectData function to decrypt.
NOTE: When Windows is run inside a virtual machine and that virtual machine is “suspended” the KEK
will be accessible (as will sensitive operating system protected information) in a file on the host machine
that contains the system’s memory. In such instances, ISC recommends using the password timeout
option with a short timeout period in order to clear the KEK from memory as soon as possible.
CSPid User’s Guide
60
5.2.1.2. Encrypted Memory on Windows Vista and Windows 7
On Windows Vista/7 CSPid uses the CryptProtectMemory and CryptUnprotectMemory functions to
encrypt sensitive information in memory. These functions require the data to be a multiple of
CRYPTPROTECTMEMORY_BLOCK_SIZE (currently 16) and PKCS#5 padding is used to expand
plaintext as necessary. CryptProtectMemory is called with the
CRYPTPROTECTMEMORY_SAME_PROCESS flag to prevent other processes from decrypting the
memory. The KEK is stored in protected memory as described for Windows 2000/XP. The KEK is used
to super encrypt the output of CryptProtectMemory using the AES Key Wrap algorithm specified in RFC
3394 in order to link the user’s password with the encrypted memory to properly suppose password
timeout. In this way, it is more difficult to recover the encrypted memory when the password has timed
out.
Using this scheme the user’s PKCS #15 PDU password and sensitive keying material is protected against
the following:
1. Other programs running on the system cannot access the process’ memory and decrypt the in
memory information because the CRYPTPROTECTMEMORY_SAME_PROCESS flag
restricts access to the original process.
2. Someone in possession of the Windows hibernation file cannot decrypt the in memory
information because when Windows hibernates or sleeps it clears information required by the
CryptUnprotectMemory function to decrypt.
NOTE: When Windows is run inside a virtual machine and that virtual machine is “suspended” the KEK
will be accessible (as will sensitive operating system protected information) in a file on the host machine
that contains the system’s memory. In such instances, ISC recommends using the password timeout
option with a short timeout period in order to clear from memory the KEK which is required to remove
the super encryption prior to calling CryptUnprotectMemory.
5.2.1.3. Encrypted Memory on UNIX-based Systems
On Linux, OSX, and Solaris CSPid uses the AES Key Wrap algorithm specified in RFC 3394 to encrypt
sensitive information in memory which is padded according to PKCS#5. As on Windows, the KEK is
generated and stored in protected memory (mlock is used to prevent it from being swapped; mprotect is
used to prevent access by other processes).
Using this scheme the user’s PKCS #15 PDU password and sensitive keying material is protected against
an attacker accessing the process’ memory and decrypting the in memory information. However, not all
platforms behave in a consistent manner with regards to the mlock and mprotect functions. Notably,
Solaris 8 requires root access to use the mlock function. Thus, it is possible that the KEK could be written
to the swap partition. In general, on UNIX-based systems ISC recommends using the password timeout
option with a value appropriate to the sensitivity of the keys.
5.2.2. Password Timeout Implementation Details
When the C_Login function is first called the library spawns a thread that waits for the specified time of
inactivity to pass and then encrypts the KEK value with the PKCS #15’s password. The encryption
algorithm used is the same algorithm used when encrypting private information for storage in the PKCS
#15 (see section 12.3). When the user reenters their password, the KEK is decrypted and placed back into
CSPid User’s Guide
61
protected memory. Thus, when password timeout is enabled all sensitive information is encrypted and the
PKCS #15 PDU password is required to decrypt.
5.2.3. Key Management in the CSPid
Management Tool
Prior to version 2.1 the CSPid Management Tool would keep all keys in memory in plaintext form when
running. Beginning with version 2.1, in addition to storing the keys in encrypted memory, the CSPid
management tool will encrypt the KEK, using the same method as described in 5.2.2, when minimized. If
the KEK is required for an operation the tool will prompt the user for the password.
CSPid User’s Guide
62
6. CSPid Libraries
6.1. The PKCS #11 Library
CSPid includes a PKCS #11 library module named CSPid.dll (Windows) or libcspid.so (UNIX) for
use by security-enabled applications that can access PKCS #11 compliant tokens.
On Windows, this library is installed in the CSPid program folder, by default C:\Program Files\CSPid,
and is automatically registered in any Netscape-based profiles the next time the user logs in.
On UNIX, the default installation directory is /opt/cspid.
Manual configuration is normally required for non-Netscape-based applications and most Java
applications. See Chapter 3 for more detailed information.
At this time the PKCS #11 library implements only RSA private key operations and publishes its
capabilities via the C_GetMechanismInfo() function.
See “CSPid API Developer’s Guide, Version 1.1.0” for complete details.
6.2. The Microsoft Windows Library
CSPid can integrate with any application that uses the native cryptographic framework on a supported
Windows platform (e.g., Internet Explorer, Outlook, Outlook Express) through their CryptoAPI (CAPI)
or “Cryptography API: Next Generation” (CNG) interfaces. This is accomplished by installing a virtual
smart card reader, the Microsoft Base Smart Card Provider Cryptographic Service Provider, and a Smart
Card Minidriver adhering to Microsoft specifications, and then registering CSPid as the system’s default
CSP.
When configuring Windows applications to use CSPid for PKI enrollment purposes, users and
administrators must select the Microsoft Base Smart Card Crypto Provider to ensure that all keys are
generated and stored by CSPid.
CSPid User’s Guide
63
7. Quality Assurance Issues
7.1. Testing Methodology
On Windows, CSPid was tested against the following system and applications software, to ensure that it
correctly performed the indicated tasks with all applications:
Software Tasks Executed
Windows XP SP 2
Internet Explorer 6
Microsoft Outlook 2003
Firefox 2.0
Thunderbird 1.5
JRE 1.5.0_09
Netscape 4.79 w/PSM 1.4
Certificate enrollment
Client-authenticated SSL/TLS
S/MIME sign/decrypt
Memory scanning for sensitive
material
Table 14: Test Configurations
See the CSPid Test Plan document for detailed information on the range of tests that were performed.
CSPid User’s Guide
64
7.2. Known Issues
7.2.1. Windows
Uninstalling CSPid may leave links in CAPI between certificates and the removed CSPid.dll. If
the user attempts to use a private key associated with one of these certificates, they will either be
shown an error message or be prompted to insert a smart card containing the associated private
key. Reinstalling CSPid and “clearing” it using the command line management utility will resolve
this issue. Alternatively, the user can just delete the affected certificates from the CAPI store
using Internet Explorer.
If the user is roaming from machine to machine deleting certificates will leave entries in the
Microsoft CAPI store on a previously used machine. When the user goes back to that machine
and uses an application that is CAPI-based they may be presented with a dialog asking them to
insert a smart card. This is usually fixed when the CSPid system tray application starts. In cases
where it is not automatically fixed, the user must run the Register with Applications command
which will remove stranded entries.
When used over Windows RDP (remote desktop protocol) and certain other remote desktop
protocols if CSPid is not installed on the client (i.e. local) system operations attempting to utilize
a key in CSPid will fail. Typically, the user will be prompted to insert a smart card or told that the
smart card service is disabled. To resolve this issue, either install CSPid on the local system or
install the CSPid Smart Card Reader driver on the local system (in cases where the local system
doesn't need the full CSPid package).
7.2.2. Netscape 4.x or higher w/o PSM
Currently none.
7.2.3. Netscape 4.75 or higher w/PSM 1.4
Importing a certificate (as part of a PKI enrollment process) and then immediately using the
personal security manager (PSM) to view available certificates causes it to crash, requiring the
user to restart Netscape.
7.2.4. Internet Explorer
When running in Internet Explorer's "protected mode" CSPid is unable to make changes to disk. If
password caching is enabled and the first password prompt occurs in Internet Explorer when in
"protected mode" the password will not be cached.
7.2.5. Microsoft Outlook
Currently none.
CSPid User’s Guide
65
8. Net-Centric Applications
CSPid can be deployed in conjunction with DAS and your company's existing security-enabled
applications (e.g., Microsoft Outlook S/MIME) to support enhanced security protocols, such as role-based
signing and decryption that were previously impossible to implement with conventional PKI-based tools.
In fact, the combination of CSPid and DAS allows you to leverage security tools based on today's
standards to provide functionality that some vendors would have you believe can only be obtained using
more recent schemes such as identity-based encryption (IBE) for which standards have not yet been
established.
The following scenarios illustrate four of the possible applications of CSPid/DAS in a 'net-centric'
environment:
8.1. Role-Based Authentication
PROBLEM: A group of watch officers are to sign messages that recipients can validate as having been
issued by some authorized group member. (In this scenario, recipients don't care which individual signed
a given message, they only need assurance that an authorized member of the group did so.)
SOLUTION SETUP: An asymmetric key pair is generated for the watch officer role, a special role
certificate is issued on the public component, and the role private key is put under the control of a DAS
server that is configured to perform signing operations with that key only for individuals on the active
duty roster for this role. The role certificate is loaded into the CSPid clients on all watch officer systems
and CSPid is registered with all security-enabled client applications on those systems. (In fact, all watch
officer logins may be hosted on a single system.)
OPERATION: When a watch officer attempts to sign an outgoing message using the role credentials with
any security-enabled client application on his system, his CSPid client automatically establishes a TLS-
secured connection (with client authentication) to the appropriate DAS server where the signature
computation is performed using its protected role private key. As usual, recipients use the watch officer
role certificate to validate all signed messages.
DAS server
(watch officer private key
and duty roster/ACL)
HSM
(optional)
CSPid
(role certificate)
net-centric
environment
(TLS w/ client auth.) duty roster
watch officer
role
watch officers
1 Application requests role signature
2 CSPid contacts server w/ client credentials
3 Server authenticates client, returns signature to CSPid
3 CSPid returns signature to application as if it was signed locally
Figure 18: Watch Officers Sign Messages with Shared Role Key on DAS Server
RESULT: Recipients can be assured that an authorized watch officer issued each validly-signed message
while the DAS server’s audit trail keeps track of the identities of the individuals who actually performed
CSPid User’s Guide
66
each signing operation. Since the watch officer private key is securely protected by the DAS server
(possibly on an independent HSM), at no time is it available for compromise even by authorized signers.
8.2. Role-Based Encryption
PROBLEM: Documents and e-mail messages encrypted for a particular commander (e.g., CMDR
CENTCOM) must be available (without re-keying) to his successor in that role.
SOLUTION SETUP: An asymmetric key pair is generated for the commander, a special role certificate is
issued on the public component, and the private component is put under the control of a DAS server that
is configured to perform decrypt operations with that key only for the active commander. The certificate
is loaded into the CSPid client on the commander's system and CSPid is registered with all security-
enabled client applications. All documents and e-mail messages are encrypted for the commander using
the role certificate.
OPERATION: When the commander attempts to decrypt a document or e-mail message encrypted with
the role certificate, the CSPid client on his system automatically establishes a TLS-secured connection
(with client authentication) to the appropriate DAS server where the required asymmetric key unwrapping
operation is performed using its protected private key. When the commander is replaced, an administrator
need only update the access control list (ACL) for the corresponding DAS account.
DAS server
(role private key)
HSM
(optional)
net-centric
environment
(TLS w/ client auth.)CSP
id
(role certificate)
Commander
1 Application requests unwrapping of session key
2 CSPid contacts server w/ client credentials
3Server authenticates client, returns to CSP
id session key
rewrapped with client certificate
3CSP
id unwraps session key (using client private key) and returns it to
application as if it was unwrapped locally
Figure 19: Commander Decrypts Documents Using Role Key on DAS Server
RESULT: All sensitive documents and e-mail messages remain encrypted under a single certificate and
can only be decrypted by the current commander after strong authentication using his current individual
credentials (e.g., CAC card). No re-keying is necessary as different individuals inherit the commander
role and the critical private key is securely stored on a DAS server or, even more securely, on an attached
HSM. The DAS server's audit trail provides a centralized record of all decrypt operations and, optionally,
of the true identity of the individual who performed them.
8.3. Confidentiality within a Community of Interest
PROBLEM: Sensitive documents must be security shared among the members of a community of interest
(CoI) with a dynamic membership roster.
CSPid User’s Guide
67
SOLUTION SETUP: An asymmetric key pair is generated for the CoI, a special group certificate is
issued on the public component, and the private component is put under the control of a DAS server that
is configured to perform decrypt operations with that key only for active CoI members. The certificate is
loaded into the CSPid client on the systems of all CoI members, and CSPid is registered with all security-
enabled client applications on those systems. All sensitive documents and e-mail messages intended for
the CoI are encrypted under the group certificate.
OPERATION: When a CoI member attempts to decrypt a document or e-mail message encrypted with
the group certificate, the CSPid client on his system automatically establishes a TLS-secured connection
(with client authentication) to the appropriate DAS server where the required asymmetric key unwrapping
operation is performed using its protected private key. When the CoI membership roster changes, an
administrator need only update the access control list (ACL) for the corresponding DAS account.
DAS server
(CoI private key and
membership roster ACL)
HSM
(optional)
CSPid
(CoI certificate)
net-centric
environment
(TLS w/ client auth.)CoI member
Co1 Application requests unwrapping of session key
2 CSPid contacts server w/ client credentials
3Server authenticates client, returns to CSP
id session key
rewrapped with client certificate
3CSP
id unwraps session key (using client private key) and returns it to
application as if it was unwrapped locally
membership
roster
Figure 20: CoI Members Decrypt Documents Using CoI Key on DAS Server
RESULT: All sensitive documents and e-mail messages remain encrypted under a single certificate and
can only be decrypted by active CoI members after strong authentication using their current individual
credentials. No re-keying is necessary as changes are made to the CoI membership roster. The critical
private key is securely stored on a DAS server or, even more securely, on an attached HSM. The DAS
server's audit trail provides a centralized record of all decrypt operations and, optionally, of the identities
of the individual CoI members who performed them.
8.4. Expanded Storage and Enhanced Security for Private Keys
PROBLEM: Key rollover results in a new certificate and private key being loaded onto a high-ranking
officer's smartcard where limited storage causes an older certificate and private key to be displaced.
Suddenly the officer has lost the ability to decrypt documents and e-mail messages encrypted with the
older credentials.
SOLUTION SETUP: Load the officer's entire key history into an account on a DAS server and install his
certificate history into a CSPid client on his own system.
OPERATION: Once CSPid has been registered with all security-enabled applications on the officer's
system, they will use his smartcard for cryptographic operations requiring his latest private key but
transparently establish a TLS-secured CSPid/DAS connection when access to an older private key is
required. Going forward, key rollover simply involves moving the officer's retiring certificate to
CSPid and the corresponding key pair to his account on the DAS server.
CSPid User’s Guide
68
DAS server
(old private keys)
Officer
CAC
(newest keys)HSM
(optional)
CSPid
(old certificates)
net-centric
environment
(TLS w/ client auth.)
1 Application requests crypto operation using old private key
2 CSPid contacts server w/ current client credentials
3
Server authenticates client, performs private key operation
and returns to CSPid
result encrypted under user’s current
credentials
3CSP
id applies user’s current private key to unwrap result and returns it
to application as if old private key operation was performed locally
Figure 21: Officer Retains Access to His Entire Key History
RESULT: By relying on the virtually unlimited storage of the DAS server (and the potentially greater
security of its key store which may be located on an HSM), an (on-line) user can maintain use of his
entire key history. He thereby retains access to all encrypted documents and e-mail messages ever sent to
him in a completely seamless manner.
8.5. Brokered Authentication - “Need-to-Know” Control Over Sensitive Resources
PROBLEM: Access to a sensitive resource needs to be controlled with a set of finely-tuned access control
rules that might vary over time.
SOLUTION SETUP: Generate a "resource key pair," obtain a "resource certificate" on the public key,
and distribute it to all users who might require access to that resource; ensure that the certificate is loaded
into the CSPid client on each user's system (this step may be automated in several ways). Create a DAS
account for the resource and install its certificate and private key along with a custom "authenticator" that
implements the access control rules. (An authenticator is a simple Java function that implements the
access control predicate: it takes as input the user's credentials and returns a Boolean response indicating
whether the user should be allowed or denied access to the requested resource. Sample predicates based
on LDAP group membership, certificate extension and/or attribute values, etc., can be provided.)
OPERATION: When an application attempts to access the sensitive resource, CSPid will be asked to
provide authentication (which normally takes the form of a "proof of possession" of the resource private
key — typically a digital signature). CSPid will then attempt to obtain this signature from the appropriate
DAS server as illustrated in the following diagram:
DAS server
(Resource private key and
custom “authenticator”)
HSM
(optional)
CSPid
(resource certificate)
net-centric
environment
(TLS w/ client auth.)
User
1 Application requests authentication for resource access
2 CSPid contacts server w/ client credentials
3If server authenticates client, resource authentication result is
returned to CSPid
3If available, CSP
id provides authentication to application, otherwise
access fails.
Figure 22: A DAS Server Used to Impose Strong "Need-to-Know" Controls over Sensitive Resources
CSPid User’s Guide
69
Only if the user's credentials pass the custom authenticator's test will the DAS server provide the required
signature for resource access.
RESULT: Together, CSPid and DAS provide assurance that the sensitive resource is securely protected.
Maintenance of the entire system is simplified by reliance on a custom "authenticator" that may be easily
modified whenever access control policies change. A single DAS server can be used to protect an
unlimited number of sensitive resources in this way.
CSPid User’s Guide
70
9. References
CSPid API CSPid API Developer’s Guide, v 2.1.0, Information Security Corp., April 2010.
CSPid Test Plan CSPid Test Plan, v 2.1.0, Information Security Corp., April 2010.
FIPS 46-3 FIPS 46-3: Data Encryption Standard (DES), NIST, October 25, 1999. Archived
May 19, 2005. http://csrc.nist.gov/publications/PubsFIPSArch.html
FIPS 180-2 FIPS 180-2: Secure Hash Standard, NIST,. August 1, 2002. Archived October
2008 and superseded by FIPS 180-3.
http://csrc.nist.gov/publications/PubsFIPS.html
FIPS 197 FIPS 197: Advanced Encryption Standard (AES), NIST, November 26, 2001.
http://csrc.nist.gov/publications/PubsFIPS.html
Java PKCS #11 Java™ PKCS #11 Reference Guide, Sun Microsystems, May 2004.
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
Java SSL/TLS Java™ Secure Socket Extension (JSSE) Reference Guide, Sun Microsystems, 2004.
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
MODUTIL Using the Security Module Database Tool (modutil), Mozilla.org
http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html
MS SCMD Smart Card Minidriver Specification for Windows Base Cryptographic Service
Provider (Base CSP) and Smart Card Key Storage Provider (KDP) v 5.05,
Microsoft Corp., October 2006.
http://www.microsoft.com/whdc/device/input/smartcard/sc-minidriver.mspx
NIST AES Key Wrap
AES Key Wrap Specification, NIST, November 2001.
http://csrc.nist.gov/groups/ST/toolkit/documents/kms/AES_key_wrap.pdf
PCSC Basko, Dmitry, Development of PC/SC compatible driver for WINDOWS (MS
VC++.NET), 2003. http://www.bds.dogma.net/pc_sc.htm
PKCS #5 Password-Based Encryption Standard. v2.0, RSA Laboratories, March 25, 1999.
http://www.rsasecurity.com/rsalabs/node.asp?id=2127
PKCS #8 Private-Key Information Syntax Standard. v1.2, RSA Laboratories , November
1993. http://www.rsasecurity.com/rsalabs/node.asp?id=2130
PKCS #11 Cryptographic Token Interface Standard. v2.20, RSA Laboratories, June 2004.
http://www.rsasecurity.com/rsalabs/node.asp?id=2133
PKCS #12 Personal Information Exchange Syntax Standard. v1.0, RSA Laboratories, June
1999. http://www.rsasecurity.com/rsalabs/node.asp?id=2138
PKCS #15 Cryptographic Token Information Syntax Standard v1.1, RSA Laboratories, June
2000. http://www.rsasecurity.com/rsalabs/node.asp?id=2141
RFC 3211 Gutmann, P., RFC 3211: Password-based Encryption for CMS, University of
Auckland, December 2001. http://tools.ietf.org/html/rfc3211
CSPid User’s Guide
71
RFC 3394 Schaad, J., and R. Housley, RFC 3394: Advanced Encryption Standard (AES) Key
Wrap Algorithm, Soaring Hawk Consulting and RSA Laboratories, September
2002. http://tools.ietf.org/html/rfc3394
RFC 3565 Schaad, J., RFC 3565: Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS), Soaring Hawk Consulting,
July 2003. http://tools.ietf.org/html/rfc3565
RFC 3852 Housley, R., RFC 3852: Cryptographic Message Syntax (CMS), Vigil Security,
July 2004. http://tools.ietf.org/html/rfc3852
RFC 4231 Nystrom, M., RFC 4231: Identifiers and Test Vectors for HMAC-SHA-224, HMAC-
SHA-256, HMAC-SHA-384, and HMAC-SHA-512, RSA Security, December 2005.
http://tools.ietf.org/html/rfc4231
Tomcat The Apache Tomcat 5.5 Servlet/JSP Container SSL Configuration HOW-TO, The
Apache Software Foundation, 1999-2006. http://tomcat.apache.org/tomcat-5.5-
doc/ssl-howto.html
X.680 Information Technology – Abstract Syntax Notation One (ASN.1): Specification of
Basic Notation, ITU-T, July 2002.
X.690 Information Technology – ASN.1 Encoding Rules: Specification of Basic Encoding
Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules
(DER), ITU-T, July 2002.
CSPid User’s Guide
72
10. Appendix A: Default Configuration File
The default configuration file as provided to administrators for modification prior to installation.
#########################################################################
# CSPID SAMPLE CONFIGURATION FILE
# Version 3.0.1
# Copyright (c) 2007-2013 Information Security Corp. All rights reserved.
#
#########################################################################
#
# Edit this file to configure how the CSPid token functions.
#
# Windows:
# This file must be located in the same folder as the CSPid
# library (CSPid.dll or libcspid.so).
#
# UNIX:
# The CSPid library searches for this file in this order
# a. /etc/cspid.cfg
# b. /usr/etc/cspid.cfg
# c. /opt/cspid/cspid.cfg
# d. $CSPidInstDir/cspid where CSPidInstDir is an environment
# variable specifying the location of the configuration file.
#
# File Format:
# a. Any line beginning with # or ; is considered a comment.
# b. Blank lines are ignored.
# c. All other lines should be Option=Value pair.
# d. Where noted, you may continue an option on the next line by
# using nothing for the Option (i.e. simply "=Value")
#
#########################################################################
########################################################################
# CSP SETTINGS
#########################################################################
#
# P15URL specifies the path and filename to use for the PKCS#15 PDU.
;P15URL=%APPDATA%\CSPid\cspid.p15
#
# USE_OLD_CHANGE_NOTIFY_METHOD specifies that the library should use the
# older "load and compare" method of PDU change detection logic rather than
# the new (much faster) method or relying on Windows change notifications.
# This is a Windows-only option.
# 0 (no)
# 1 (yes)
;USE_OLD_CHANGE_NOTIFY_METHOD=0
#
# AUTO_INIT specifies whether or not the system tray application will prompt
# the user to set a password and configure a key store. If set to 0, the
# system tray application will run in reduced functionality mode until this
# option is changed or the PDU is initialized with the cspid_cli tool AND
# the system tray application is restarted.
# 0 (no)
# 1 (yes)
;AUTO_INIT=1
#
# VIRTUALIZE_GP_ISSUERS specifies whether or not certificates in the Windows
# Group Policy certificate stores will be visible through CSPid to PKCS#11
# applications. Enabling this is an efficient way to manage trust anchors in
# Netscape/Firefox/Thunderbird.
# 0 (no)
# 1 (yes)
#
;VIRTUALIZE_GP_ISSUERS=0
CSPid User’s Guide
73
#
# READONLY specifies that only the CSPid tools can write to the PKCS#15
# PDU. This prevents Firefox, Internet Explorer, and other applications
# from generating keys or otherwise manipulating the PDU.
# 0 (no)
# 1 (yes)
;READONLY=0
#
# ENFORCE_CKA_EXTRACTABLE specifies that CSPid should prevent the export
# of any keys marked CKA_EXTRACTABLE=FALSE. This attribute can be set
# using the cspid_cli's --exportable-no option during either private key
# import (--import) or key generation (--gen-p10). Note, previous versions
# of CSPid marked all keys CKA_EXTRACTABLE=FALSE. Thus is you are upgrading
# and set this value to 1, your users will not be able to export their
# keys.
# 0 (no)
# 1 (yes)
;ENFORCE_CKA_EXTRACTABLE=0
#
# ECCDHSS_EXTRACTABLE specifies whether or not CSPid should allow the
# ECDH result to be exported (extracted) from the library. In most cases
# this value should remain 0.
# 0 (no)
# 1 (yes)
;ECCDHSS_EXTRACTABLE=0
#
# BL<TAG> specifies a blacklist for all certificates marked with TAG.
# TAG can be specified during import using the cspid_cli --scope-blacklist
# option or using the CSPid Manager edit attribute option.
# For example, BLVPN=firefox.exe will prevent any certificate tagged VPN
# from appearing in Firefox. BLNOCAPI=CAPI will prevent any certificate
# tagged NOCAPI from appearing in CAPI-based applications.
#
# WL<TAG> specifies a whitelist for all certificates marked with TAG.
# TAG can be specified during import using the cspid_cli --scope-whitelist
# option or using the CSPid Manager edit attribute option.
# For example, WLVPN=firefox.exe allow certificates tagged VPN
# to only appear in Firefox. WLCAPIONLY=CAPI will allow certificates tagged
# CAPIONLY to only appear in CAPI applications (they will not appear in
# Firefox, etc.).
#
#########################################################################
#########################################################################
# LOG SETTINGS
#########################################################################
#
# LOGLEVEL specifies an integer representing the logging level to use.
# 0 (critical information only)
# 1 (information)
# 2 (debug)
# Debug and information entries appear only in the file specified by LOGFILE.
# Critical information entries are always logged to the system event log, and
# optionally to the file specified by LOGFILE.
;LOGLEVEL=0
#
# LOGFILE specifies path and filename in which to log information in
# addition to the system event log.
;LOGFILE=
#
# LOGFILEDAILY specifies whether or not the log file name (specified above)
# should be pre-pended with the day of creation. This prevents the logfile
# from growing too large.
# 0 (no)
# 1 (yes)
;LOGFILEDAILY=0
#
# APPLOGFILE is the location where CSPid stores the list of
# applications that have called the C_Initialize function. The default
# is to disable this feature by not specifying a filename.
CSPid User’s Guide
74
;APPLOGFILE=
#########################################################################
#########################################################################
# PASSWORD SETTINGS
#########################################################################
#
# PWCACHE specifies whether or not password caching is enabled.
# 0 (no)
# 1 (per-session)
# 2 (permanently - Windows Only)
;PWCACHE=0
#
# PWCACHE_CLEAR_ON_BAD_PIN specifies the threshold of incorrect password attempts
# which if exceeded will result in the clearing of the cached password.
# 0 (no)
# >=1 (yes, after the number of attempts specified)
;PWCACHE_CLEAR_ON_BAD_PIN=1
#
# PWPROMPT_AT_STARTUP specifies whether or not the system tray application
# will prompt the user for a password when they log into Windows (or it is
# started on UNIX-like operating systems. Useful when combined with PWCACHE=1).
# 0 (no)
# 1 (yes)
;PWPROMPT_AT_STARTUP=0
#
# PWREQNUM specifies whether or not user created passwords must include
# a number.
# 0 (no)
# 1 (yes, one of [0-9] must be included)
;PWREQNUM=0
#
# PWREQALPHA specifies whether or not user created passwords must
# include an alpha character.
# 0 (no)
# 1 (yes, one of [a-z][A-Z] must be included)
;PWREQALPHA=0
#
# PWREQPUNC specifies whether or not user created passwords must
# included a punctuation mark.
# 0 (no)
# 1 (yes, one of [.,?!;:'"] must be included)
;PWREQPUNC=0
#
# PWREQSPEC specifies whether or not user created passwords must
# include a special character.
# 0 (no)
# 1 (yes, one of [@#$%^&*()+=-_/><\|[]{}`~] must be included)
;PWREQSPEC=0
#
# PWREQMIXEDCASE specifies whether or not user created passwords
# must include both lower and upper case characters
# 0 (no)
# 1 (yes)
;PWREQMIXEDCASE=0
#
# PWMINLEN specifies the minimum length of user created passwords.
# Applies to both password quality settings.
;PWMINLEN=1
#
# PWCHANGE specifies the time between required user password changes.
# During the 10 days prior to mandatory password change the user will
# be offered the chance to changed their password when the CSPid
# Manager starts.
# Applies to both password quality settings.
;PWCHANGE=0
#
# PWHISTORY specifies the number of unique passwords required before
CSPid User’s Guide
75
# a user can re-use a previous password.
# Applies to both password quality settings.
;PWHISTORY=0
#
# PWTIMEOUT specifies the password timeout value in seconds. After
# X seconds of inactivity the user will be required to re-enter their
# CSPid password. Please see the CSPid user's guide for complete
# implementation details and guidance.
# -1 = never
# nonzero = seconds of inactivity after which PIN re-entry is required
# Applies to both password quality settings.
;PWTIMEOUT=-1
#
# RSTPWAGENTS specifies one or more password reset agent certificates
# as a base64-encoded PKCS#7 PDU. The cspid_cli utility's --p7tob64
# option will convert a PKCS#7 generated by another application into
# the form expected by this configuration file. The basic rules are:
# a. No line can exceed 500 characters in length
# b. Continuation lines must begin with a = character
#
;RSTPWAGENTS=First line of PDU
;=Second line of PDU
;=Third line of PDU
#
# RSTPWMINLEN specifies the number of random bytes to generate when
# creating the reset password. The reset password the user must enter
# will be 1/3 bigger than this value. The default value is 10, the
# minimum value is 8. This value should be at least as big as
# the PWMINLEN value.
;RSTPWMINLEN=10
#
# RSTPW_MECHANISM specifies the technique that CSPid's system tray
# application will use to help the user through password reset.
# 0 (e-mail, the normal mechanism available prior to the 2.4.3 release)
# 1 (use RSTPW_CMD, see below)
# 2 (prompt the user to save the reset file)
;RSTPW_MECHANISM=0
#
# RSTPW_MESSAGE specifies a message to display to the user before
# performing the password reset mechanism specified in RSTPW_MECHANISM
;RSTPW_MESSAGE=
#
# RSTPW_CMD one or more commands to run when the user initiates password
# reset. %1 in the command will be replaced with the path/filename of the
# password reset file.
;RSTPW_CMD=
#
# RSTPW_PROMPT_RESET specifies whether or not the user will be prompted to
# change their password at the end of the reset process.
# 0 (no)
# 1 (yes)
;RSTPW_PROMPT_RESET=1
#
# PW2ENABLED enables advanced password quality logic in place of some of
# the original password quality requirements listed above (PWREQNUM, PWREQALPHA,
# PWREQPUNC, PWREQSPEC, and PWREQMIXEDCASE are replaced by PW2MASK and the
# additional PW2REQCLASSCHG option applies) while still enforcing cache, length,
# reset, and periodic change requirements.
# 0 (no)
# 1 (yes)
;PW2ENABLED=0
#
# PW2MASK specifies the password quality requirements if PW2ENABLED is
# set to 1. This is a | delimited string of password classes:
# U = upper case character required
# L = lower case character required
# N = number required
# P = punctuation required
# S = special character required
# u = upper case character forbidden
CSPid User’s Guide
76
# l = lower case character forbidden
# n = number forbidden
# p = punctuation forbidden
# s = special character forbidden
# These can be combined to produce password quality requirements
# that require the password to be mixed case and contain either a number
# or punctuation: ULN|ULP
# For example: ULNP|ULNS|ULSP|Nulsp
# would accept passwords that matched one of:
# mixed case with a number and a punctuation symbol
# mixed case with a number and a special character
# mixed case with a special character a punctuation symbol
# only numbers
;PW2MASK=
#
# PW2REQCLASSCHG specifies the maximum number of consecutive characters
# allowed from a character class.
# 0 (disabled)
# > 0
# For example, if PW2REQCLASSCHG is 4 then no password can contain more
# than 4 consecutive: upper case characters, lower case characters,
# numbers, punctuation marks, or special characters. So, ABCDE1234 would
# be invalid, but AbCDE1234 would be accepted.
;PW2REQCLASSCHG=0
#########################################################################
#########################################################################
# NETSCAPE/MOZILLA SETTINGS
#########################################################################
#
# NSSEARCHPATH specifies one or more semi-colon delimited paths
# that CSPid should search when finding Netscape-based application
# profiles during installation or when the user selects Register with
# Applications. A common addition is %ProgramFiles%\Netscape
#
;NSSEARCHPATH=%APPDATA%\Mozilla;%APPDATA%\Thunderbird
#
# NSCREATETRUST specifies whether or not to CKO_NETSCAPE_TRUST
# objects are created for certificates stored by CSPid.
# 0 (no)
# 1 (yes)
# Setting this value to 1 will cause most Netscape-based applications
# to trust any certificate stored by CSPid (including roots).
;NSCREATETRUST=1
#########################################################################
#########################################################################
# IMPORT/EXPORT SETTINGS
#########################################################################
#
# CAIMPORT specifies whether or not CSPid should store issuer
# certificates.
# 0 (Never import CA certificates via the CSPid User Interface.
# Effectively disables the import of anything but PKCS#12 files.)
# 1 (Allow users to import CA certificates via the CSPid user
# interface, but prompt for approval of root certificates.)
# 2 (Allow users to import CA certificates via the CSPid user
# interface without any prompting (CAPI prompts *may* appear).)
# Note, this setting affects PKCS#12 import and export with regard to
# prompting only.
;CAIMPORT=1
#
# P12EXPORT specifies whether or not users can export their
# private keys from CSPid as PKCS#12 formatted files.
# 0 (no)
# 1 (yes)
CSPid User’s Guide
77
;P12EXPORT=1
#
# P12EXPORTREQUIRESNEWPIN specifies whether or not users can use their
# CSPid password as the password for exported private keys.
# 0 (yes) - users can use the same password
# 1 (no) - users must use a different password
#
;P12EXPORTREQUIRESNEWPIN=0
#
# P12IMPORTCA specifies whether or not CSPid should import issuer
# certificates it finds when importing PKCS#12 files.
# 0 (no)
# 1 (yes)
# Note, setting this value to 1 causes the CSPid user interface to
# import any issuer certificates it finds in the PKCS#12 during import
# if allowed by the CA Import Settings. During export, if this value is
# set to 1, issuing certificates will be included in the exported
# PKCS#12 if available.
;P12IMPORTCA=1
#
# P12IMPORTREGAPPS specifies whether or not the CSPid UI should run
# the register with applications event when a PKCS#12 file is imported
# from the CSPid UI's command line.
# 0 (no)
# non-zero = how recently the certificate must have been issued in hours
# (i.e. 24 means if the imported certificate was issued within
# the last 24 hours run the event, otherwise do not).
;P12IMPORTREGAPPS=0
#
# P12CLIIMPDELONMATCH specifies the string to search for when importing
# a PKCS#12 file using the CSPid UI's command line. If the string is
# found in the path or name of the imported file it will be deleted
# after it has been successfully imported. Common values are Temp (for
# Firefox) and Temporary (for Internet Explorer).
;P12CLIIMPDELONMATCH=
#
# IGNORE_ISSUERS_IN_GP specifies whether or not CSPid should install
# certificates into MS CAPI if they are already in a group policy
# provided store in MS CAPI.
# 0 (no)
# 1 (yes)
# Note: If the group policy is changed after CSPid installs the certificate
# users may see 2 certificates for a given issuer because group policy
# is adding a duplicate value.
;IGNORE_ISSUERS_IN_GP=1
#########################################################################
#########################################################################
# EVENT HANDLING
#########################################################################
#
# ENROLLURL specifies a URL that should be opened by the CSPid Manager
# when it starts and no certificates with private keys can be found.
# This value is superseded by the ENROLLCMD option if present.
;ENROLLURL=http://www.infoseccorp.com/ca/silver/contents.htm
#
# ENROLLURL_MESSAGE specifies the text to display to the user prior to
# opening the browser to the enrollment URL specified in ENROLLURL.
;ENROLLURL_MESSAGE=
#
# ENROLLCMD specifies one or more commands (see note below) that should
# be executed when the CSPid Manager starts and no certificates with
# private keys can be found. This value supersedes the ENROLLURL
# option.
;ENROLLCMD=
#
# ENROLLCAPI causes CSPid to move all credentials that can be exported
# from the user's Microsoft CAPI "Personal" store to CSPid when the
CSPid User’s Guide
78
# CSPid manager starts and no credentials are found. This value
# supersedes both the ENROLLURL and ENROLLCMD values. The currently
# selected EFS certificate and any non-exportable certificates are not
# moved.
# 0 (disabled)
# 1 (enabled)
;ENROLLCAPI=0
#
# ENROLLCAPI_MESSAGE specifies the text to display to the user prior to
# migrating their keys from CAPI/CNG on initial startup.
;ENROLLCAPI_MESSAGE=
#
# NEWSIGCERTCMD specifies one or more commands (see note below) that
# should be executed when a new signing certificate is stored in CSPid.
# The following must be true for these commands to be executed:
# a. The certificate must have a matching private key already stored
# by CSPid.
# b. The program creating or loading the certificate object into
# CSPid cannot be the CSPid Manager or the CSPid Command Line.
# Therefore, these are most useful when you wish to execute one or more
# commands during web enrollment. For example, you can use these
# options with ISC's Credential Management Utility to download and
# install a PKCS#12 file using a newly issued (and thus installed)
# signing certificate. For complete details please see the CSPid User's
# Guide.
;NEWSIGCERTCMD=
#
# NEWENCCERTCMD specifies one or more commands that should be executed
# when a new encryption certificate is stored in CSPid. Please see
# NEWSIGCERTCMD for details.
;NEWENCCERTCMD=
#
# DASNEWSIGCERTCMD specifies one or more commands (see note below) that
# should be executed when a new DAS-enabled signing certificate is stored
# in CSPid. The following must be true for these commands to be executed:
# a. DAS must be enabled (see below)
# b. The program creating or loading the certificate object into
# CSPid cannot be the CSPid Manager or the CSPid Command Line.
;DASNEWSIGCERTCMD=
#
# DASNEWENCCERTCMD specifies one or more commands (see note below) that
# should be executed when a new DAS-enabled encryption certificate is
# stored in CSPid. Please see DASNEWSIGCERTCMD for details.
;DASNEWENCCERTCMD=
#
# RENEWURL specifies the URL to open in the default web browser
# when the user selects Renew My Certificate in the CSPid Manager or
# when the CSPid Manager determines that renewal is required based on
# the RENEWDAYS option. This value is superseded by the RENEWCMD
# option. The CSPid determines whether renewal is required as follows:
# a. If there is at least one signing certificate and no signing
# certificate will be valid in RENEWDAYS.
# b. or if there is a least one encrypting certificate and no
# encrypting certificate will be valid in RENEWDAYS.
;RENEWURL=http://www.infoseccorp.com/ca/silver/contents.htm
#
# RENEWURL_MESSAGE specifies the text to display to the user prior to
# opening the browser to the enrollment URL specified in RENEWURL. This
# text is NOT displayed if the user initiates the action through the
# CSPid Manager.
;RENEWURL_MESSAGE=
#
# RENEWCMD specifies one or more commands (see note below) that should
# be executed when the CSPid Manager starts and finds that either no
# signing or no encrypting certificates will be valid in RENEWDAYS.
# This value supersedes the RENEWURL option. See RENEWURL for more
# information.
;RENEWCMD=
#
# RENEWDAYS specifies the number of days before certificate expiration
CSPid User’s Guide
79
# that should be considered when deciding whether or not certificate
# renewal should execute.
;RENEWDAYS=
#
# REGAPPSCMD specifies one or more additional commands (see note below)
# that should be executed when the user selects Register with
# Applications in the CSPid Manager.
;REGAPPSCMD=
#
# ALLCERTSISSUERS modifies the treatment of certificates installed that
# are not associated with private keys. If enabled (1) all certificates
# installed without an associated private key will be treated as issuer
# certificates and installed in the Windows "CA" (Intermediate Certification
# Authorities) store. If disabled (0) any certificate without a private
# key that does not include a basic constraints extension identifying the
# type will be installed in the Windows "Other" (other people) store.
;ALLCERTSISSUERS=0
#
# STARTUPCMD specifies one or more commands that should be executed
# when the user starts the CSPid Manager.
;STARTUPCMD=
#########################################################################
#########################################################################
# DAS OPTIONS
#########################################################################
#
#
# DASENABLE turns on DAS support. If set to a CSPid DAS Enablement
# serial number CSPid will assert to applications that it holds the
# private key matching any DAS-enabled certificate imported into CSPid.
;DASENABLE=0
#
# DASSERVER specifies one or more DAS server URIs that should be used
# when performing DAS unwrap operations. Servers are tried in order
# listed.
;DASSERVER=https://192.168.0.85:6444/das/cois/
#
# DASSIGSERVER specifies one or more DAS server URLS that should be
# used when performing DAS signature operations. Servers are tried
# in order listed.
;DASSIGSERVER=https://192.168.0.85:6444/das/cois/
#
# DASTIMEOUT specifies the number of seconds to wait for a connection
# to a DAS server for a signature or unwrap request before aborting the
# attempting and trying the next server.
;DASTIMEOUT=5
#
# DASNUMREDIR specifies the maximum number times that CSPid will
# perform URL redirection when the contacted DAS server returns CoI
# not found with a list of URLs.
# -1 (no limit)
# 0 (no redirection allowed)
# >0 (limited to the value specified)
;DASNUMREDIR=-1
#
# DAS_SIGN_ISSUER_ID specifies either the Issuer DN or the AKI
# hash value that is preferred when auto-selecting a signing
# certificate.
;DAS_SIGN_ISSUER_ID=
#
# DAS_ENC_ISSUER_ID specifies either the Issuer DN or the AKI
# hash value that is preferred when auto-selecting an encryption
# certificate.
;DAS_ENC_ISSUER_ID=
#
# DAS_ENC_LABEL_ID specifies a keyword that the label of the
# preferred encryption certificate will contain. For CACs it's Encryption
;DAS_ENC_LABEL_ID=
CSPid User’s Guide
80
#
# DAS_SIGN_LABEL_ID specifies a keyword that the label of the
# preferred signature certificate will contain. For CACs it's Signature
;DAS_SIGN_LABEL_ID=
#
# EXT_P11_LIB specifies the PKCS#11 library path and name to use when
# authenticating to a DAS server and unwrapping the server's response.
# the default value is to use CSPid.
;EXT_P11_LIB=C:\Program Files\CSPid\CSPid.dll
#
# EXT_P11_LIB64 specifies the 64-bit PKCS#11 library path and name to use when
# authenticating to a DAS server and unwrapping the server's response.
# the default value is to use CSPid.
;EXT_P11_LIB64=C:\Program Files\CSPid\CSPidx64.dll
#
# EXT_P11_LABEL specifies the PKCS#11 label to use when CSPid communicates
# with a PKCS#11 device. If present, CSPid will only use a slot if the
# token present in that slot matches this value. If blank, CSPid will use
# the first slot that contains a token.
;EXT_P11_LABEL=ISC CSPid
#
# EXT_P11_NAME specifies the name to display in the password dialog
# when CSPid prompts the user for the PIN to their smart card. If
# blank it will use the card's label.
;EXT_P11_NAME=ISC CSPid
#########################################################################
#########################################################################
# CONFIGURATION FILE UPDATE OPTIONS
#########################################################################
#
# CFGUPDATENAME specifies the name of this "policy". This is displayed
# in the about dialog of the application for informational purposes.
;CFGUPDATENAME=Default
#
# CFGUPDATELOCALSTORE specifies the location in which CSPid should store
# updated policies for the user.
;CFGUPDATELOCALSTORE=%APPDATA%\cspid\policies
#
# CFGUPDATEURL specifies the server and path that stores updated, digitally
# signed configuration files. Either the CFGUPDATEDN or the user's DN will
# be appended to this value along with a platform specific filename to
# specify the file to download. For example,
#
# http://www.infoseccorp.com:8080/isc_policies would become
# http://www.infoseccorp.com:8080/isc_policies/O=ISC/C=US/cspid_win.p7m
;CFGUPDATEURL=
#
# CFGUPDATETIMEOUT specifies the number of seconds that CSPid should wait
# before trying the next potential URL for update files.
;CFGUPDATETIMEOUT=5
#
# CFGUPDATEDN specifies this machine's distinguished name for finding
# updated configuration files. This DN is used if CFGUPDATEUSERDN is 0 or
# if the software is unable to determine the user's DN.
;CFGUPDATEDN=
#
# CFGUPDATEUSEUSERDN specifies whether or not CSPid should attempt to determine
# and use the user's DN for downloading updated configuration files.
# 0 (no)
# 1 (yes)
;CFGUPDATEUSEUSERDN=0
#
# CFGUPDATEPERIOD specifies how frequently CSPid's system tray application
# should perform the configuration file update check.
# 0 (updates disabled)
# >0 (number of days between update checks)
;CFGUPDATEPERIOD=0
#
# CFGUPDATETRUSTMODEL specifies how to trust the policy server's SSL/TLS
CSPid User’s Guide
81
# server certificate.
# 0 Windows Path Validation, use Windows' built in path validation
# 1 CFGUPDATETRUSTANCHOR, the certificate path must be valid and the
# root must the certificate specified in the CFGTRUSTANCHOR option
# 2 CFGUPDATETRUSTDN, the certificate path must be valid and the issuer
# RDN of the highest issuing certificate returned by the server must
# match the value in the CFGUPDATETRUSTDN option
# 3 Updates disabled
;CFGUPDATETRUSTMODEL=3
#
# CFGUPDATETRUSTANCHOR specifies a single trust anchor to which the policy
# server's SSL/TLS server certificate chains. If the policy server's
# certificate path is valid and ends in this certificate the policy will be
# downloaded and treated as authentic. This is a base64-encoded DER
# certificate on a single line.
;CFGUPDATETRUSTANCHOR=
#
# CFGUPDATETRUSTDN specifies issuer RDN that must be in the highest
# issuing certificate returned by the server.
;CFGUPDATETRUSTDN=
#
#########################################################################
#########################################################################
# INSTALLATION OPTIONS
#########################################################################
#
# SECURE specifies whether or not the installation program should
# install this configuration file in a tamper evident manner.
# 0 (no)
# 1 (yes)
# Note, if this is selected and the user tampers with the configuration
# file an error dialog will be displayed and the user's keys will be
# unavailable until the configuration file is restored to its original
# state. This is a Windows-only option and is optional. Configuration
# files found in the installation folder are automatically deemed
# secure. On UNIX a configuration file is deemed secure if it resides
# in /etc or /usr/etc.
;SECURE=0
#########################################################################
#########################################################################
# A NOTE ABOUT COMMANDS
#########################################################################
#
# Options ending in CMD, such as REGAPPSCMD, are handled as follows:
# a. If one or more options with the same value are provided in this
# configuration file each command will be executed when the
# particular event occurs.
# b. If multiple commands are present they are execute in the order
# they appear in this file and each command must finish before
# the next will be started.
# c. On Windows the commands are launched in hidden windows.
#
# For example, to cause 2 additional commands to run when the user
# selects Register with Applications you would add 2 REGAPPSCMD= lines
# to this file like so:
# REGAPPSCMD="C:\My Program\mp1.exe" -L "%TEMP%\logfile.txt"
# REGAPPSCMD="C:\My Program\mp2.exe" -L "%TEMP%\logfile.txt"
# When the event occurs mp1.exe will be executed followed by mp2.exe
#
# Please see the User's Guide for complete details
#########################################################################
Figure 23: A Sample CSPid
Configuration File with Default Settings
CSPid User’s Guide
82
NOTE: On Windows, environment variables may be referenced in the configuration file as illustrated in
the above example. On UNIX, replace %VAR% with the conventional $VAR to dereference an
environment variable named VAR. These variables are expanded prior to use.
CSPid User’s Guide
83
11. Appendix B: Supported PKCS #11 Mechanisms
The following mechanisms are supported through the CSPid PKCS #11 interface.
CKM_RSA_X_509
CKM_RSA_PKCS
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_ECDH1_DERIVE
CKM_ECDH1_COFACTOR_DERIVE
CKM_EC_KEY_PAIR_GEN
CKM_ECDSA
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_AES_CBC
CKM_AES_ECB
CSPid User’s Guide
84
12. Appendix C: The PKCS #15 Key Storage Format
CSPid maintains a key store consisting of a single PKCS #15 PDU containing certificates, private keys,
public keys, and their associated attributes. This PDU is currently stored on the user’s file system (local
disk, removable media, or network drive). Future versions of CSPid may allow the key store PDU to be
stored in alternate locations (such as in a network-accessible database).
12.1. PKCS #15
PKCS #15 specifies syntax for storage of objects, syntax for protecting the confidentiality of sensitive
objects, and a method to ensure the integrity of these objects. A brief summary of those aspects of the
standard used by CSPid is presented below. For more information we refer the reader to the PKCS #15
standards document.
12.2. Object Syntax
PKCS #15 specifies an ASN.1 encoding format for all objects. For software-tokens a single flat file
containing an ASN.1 DER-encoded sequence of objects is generated. This object is defined as a
PKCS15Token. It is made up of a list of key IDs and a list of objects. The key IDs uniquely label the
encrypted objects. A sample PKCS #15 PDU is presented in Appendix D: A Sample PKCS #15 Key Store.
12.3. Confidentiality
PKCS #15 specifies the use of CMS as defined in RFC 3852 using passwords for confidentiality. RFC
3852 specifies that a key-encryption key (KEK) be derived from a password and used to encrypt the
content-encryption key (CEK). The KEK is to be derived from a password according to PKCS #5 v2.0
using PBKDF2. CSPid uses a random salt and an iteration count of 2048 when performing PBKDF2.
CSPid deviates slightly from PKCS #15 and PKCS #5 by using AES-256 in CBC mode (rather than
TDES) for encryption of private objects within the PKCS #15 PDU as specified by RFC 3565 and RFC
3394. RFC 3394 is based on the NIST AES Key Wrap specification. For compatibility with the only
known third party implementation of PKCS #15, CSPid will also support the RFC 3211 mechanism for
decryption only.
Private key objects are encrypted using the algorithms and formats described in the previous paragraph.
The output produced is a CMS EnvelopedData structure that is included, with additional information, in
the eventual PKCS15Token PDU that is saved in the active key store.
CSPid User’s Guide
85
12.4. Integrity
PKCS #15 stipulates the use of CMS as defined in RFC 3852 for assuring the integrity of the PDU.
Specifically, it requires the creation of a CMS enveloped authenticatedData PDU containing both the
PDU and a computed MAC value over it. CSPid
uses HMAC-SHA512 as defined in RFC 4231 with a
random key for the MAC operation, and then wraps the random HMAC key using AES-256 in the same
manner as for the CEK as described above (i.e., with a key derived from the user’s password according to
PKCS #5 v2.0 and PBKDF2.)
12.5. Initialization
When first started, or when the active key store cannot be opened, the PKCS #11 library creates an empty
PKCS #15 PDU and appropriate enveloped authenticatedData structure with a default password of
“PASSWORD” unless otherwise specified in the configuration file (see section 3.5). When the CSPid
management tool detects that the user has not previously set a password, it forces the user to do so. The
user can subsequently use the included utilities to change their password.
CSPid User’s Guide
86
13. Appendix D: A Sample PKCS #15 Key Store
This appendix contains a sample CSPid key store file. The original binary PKCS #15 PDU has been
“pretty printed” using GUIDumpASN.1.
0000 30 96F: SEQUENCE {
0004 06 B: OBJECT IDENTIFIER authData (1 2 840 113549 1 9 16 1 2)
0011 A0 95E: [0] {
0015 30 95A: SEQUENCE {
0019 02 1: INTEGER 0
001C 31 5B: SET {
001E A3 59: [3] {
0020 02 1: INTEGER 0
0023 A0 1B: [0] {
0025 06 9: OBJECT IDENTIFIER pkcs5PBKDF2 (1 2 840 113549 1 5 12)
0030 30 E: SEQUENCE {
0032 04 8: OCTET STRING
: FD D3 C8 2D E1 60 08 AC
003C 02 2: INTEGER 2048
: }
: }
0040 30 D: SEQUENCE {
0042 06 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 1 45'
004D 05 0: NULL
: }
004F 04 28: OCTET STRING
: 1A 2A 61 A5 79 09 15 0E 72 14 D5 9A BB 31 1B 1D
: 9D B0 C8 B2 3A 85 A4 84 70 60 FC B8 D4 EE 43 54
: ED 5A FC C9 56 F8 8E 91
: }
: }
0079 30 C: SEQUENCE {
007B 06 8: OBJECT IDENTIFIER '1 2 840 113549 2 11'
0085 05 0: NULL
: }
0087 A1 D: [1] {
0089 06 9: OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)
0094 05 0: NULL
: }
0096 30 897: SEQUENCE {
009A 06 A: OBJECT IDENTIFIER pkcs15content (1 2 840 113549 1 15 3 1)
00A6 A0 887: [0] {
00AA 30 883: SEQUENCE {
00AE 06 A: OBJECT IDENTIFIER
: pkcs15content (1 2 840 113549 1 15 3 1)
00BA A0 873: [0] {
00BE 30 86F: SEQUENCE {
00C2 02 1: INTEGER 0
00C5 30 868: SEQUENCE {
00C9 A0 36C: [0] {
00CD A0 368: [0] {
00D1 30 364: SEQUENCE {
00D5 30 2E: SEQUENCE {
00D7 0C 28: UTF8String
'90c72555f6a105c071ec670be04120b4350831a3'
0101 03 2: BIT STRING 7 unused bits
: '1'B (bit 0)
: }
0105 30 21: SEQUENCE {
CSPid User’s Guide
87
0107 04 14: OCTET STRING
: 90 C7 25 55 F6 A1 05 C0 71 EC 67 0B E0 41 20 B4
: 35 08 31 A3
011D 03 2: BIT STRING 5 unused bits
: '110'B
0121 01 1: BOOLEAN FALSE
0124 03 2: BIT STRING 4 unused bits
: '1001'B
: }
0128 A1 30D: [1] {
012C 30 309: SEQUENCE {
0130 A2 302: [2] {
0134 02 1: INTEGER 2
0137 31 5B: SET {
0139 A3 59: [3] {
013B 02 1: INTEGER 0
013E A0 1B: [0] {
0140 06 9: OBJECT IDENTIFIER
: pkcs5PBKDF2 (1 2 840 113549
1 5 12)
014B 30 E: SEQUENCE {
014D 04 8: OCTET STRING
: 46 B7 36 0C F7 84 7B C7
0157 02 2: INTEGER 2048
: }
: }
015B 30 D: SEQUENCE {
015D 06 9: OBJECT IDENTIFIER '2 16 840 1
101 3 4 1 45'
0168 05 0: NULL
: }
016A 04 28: OCTET STRING
: EF CC 57 56 44 9A 51 AD FC 4F 6B E6 2D 34 69 0A
: A9 28 D6 F0 D8 70 CD 99 12 90 4A 61 43 D3 63 ED
: 08 37 91 26 00 40 E5 89
: }
: }
0194 30 29E: SEQUENCE {
0198 06 9: OBJECT IDENTIFIER
: data (1 2 840 113549 1 7 1)
01A3 30 1D: SEQUENCE {
01A5 06 9: OBJECT IDENTIFIER
: aes256-CBC (2 16 840 1 101 3
4 1 42)
01B0 04 10: OCTET STRING
: E3 A4 4E 34 FB 0F AF A1 43 92 FD D6 B6 FA 2E B9
: }
01C2 80 270: [0]
: 0E E4 36 24 12 77 55 BE 0E 24 CA F1 B2 7C 6F AE
: 96 1B B6 F1 1B 6E 71 F1 CD 97 D9 F1 4B E1 D5 30
: E6 B7 98 9A C8 7F 4E 17 15 5C CF F3 C7 39 D3 2B
: 62 AE B0 BA 31 72 E4 FC 6C 3A 69 AF BB 9B 43 54
: 54 CB F1 01 F2 EA 4E 87 BB DB BD D7 E8 7F 38 AF
: F3 54 1D A4 6F 47 07 D1 D9 75 64 A5 EF D4 66 10
: 6A EC 51 41 E8 3D 02 3B 8E F6 B7 7D 08 28 03 72
: 09 65 30 B3 38 91 D2 4C 70 5E 57 3C 21 38 40 DC
: [ Another 496 bytes skipped ]
: }
: }
0436 02 1: INTEGER 0
: }
: }
: }
CSPid User’s Guide
88
: }
: }
0439 A1 105: [1] {
043D A0 101: [0] {
0441 30 FE: SEQUENCE {
0444 30 2A: SEQUENCE {
0446 0C 28: UTF8String
'90c72555f6a105c071ec670be04120b4350831a3'
: }
0470 30 21: SEQUENCE {
0472 04 14: OCTET STRING
: 90 C7 25 55 F6 A1 05 C0 71 EC 67 0B E0 41 20 B4
: 35 08 31 A3
0488 03 2: BIT STRING 1 unused bits
: '1000001'B
048C 01 1: BOOLEAN FALSE
048F 03 2: BIT STRING 4 unused bits
: '1000'B (bit 3)
: }
0493 A1 AC: [1] {
0496 30 A9: SEQUENCE {
0499 A0 A2: [0] {
049C 30 9F: SEQUENCE {
049F 30 D: SEQUENCE {
04A1 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549
1 1 1)
04AC 05 0: NULL
: }
04AE 03 8D: BIT STRING 0 unused bits,
encapsulates {
04B2 30 89: SEQUENCE {
04B5 02 81: INTEGER
: 00 CB 62 73 50 C9 5D 79 71 64 E9 D1 87 07 D3 88
: AB D6 A1 57 4D CF 34 C2 B8 04 E2 F4 3E EA 71 B4
: 1E 47 9F F3 3E 6C AD A6 9E 26 E4 F4 08 52 A1 E6
: 37 A7 02 B9 24 3E A3 47 5B 95 EB 8A 5F A4 C7 8B
: 79 DC BB D6 30 22 AB 10 B4 5E 05 1A 84 A7 4B 9F
: CF 8E 15 C8 6F 0B D4 75 63 A0 A6 C9 8C BD 96 6D
: 0B 9B 63 5C A3 2B 20 6F 55 98 27 88 91 49 1A E3
: D5 11 30 9E 09 3A 46 91 00 4F 9F 45 10 B5 5C 44
: [ Another 1 bytes skipped ]
0539 02 3: INTEGER 65537
: }
: }
: }
: }
053E 02 2: INTEGER 1024
: }
: }
: }
: }
: }
0542 A4 3EB: [4] {
0546 A0 3E7: [0] {
054A 30 3E3: SEQUENCE {
054E 30 2A: SEQUENCE {
0550 0C 28: UTF8String
'90c72555f6a105c071ec670be04120b4350831a3'
: }
057A 30 16: SEQUENCE {
057C 04 14: OCTET STRING
: 90 C7 25 55 F6 A1 05 C0 71 EC 67 0B E0 41 20 B4
CSPid User’s Guide
89
: 35 08 31 A3
: }
0592 A1 39B: [1] {
0596 30 397: SEQUENCE {
059A 30 393: SEQUENCE {
059E 30 27B: SEQUENCE {
05A2 A0 3: [0] {
05A4 02 1: INTEGER 2
: }
05A7 02 14: INTEGER
: 08 16 D8 EA 0C 26 68 6B 7F 5F F6 9D D6 52 F0 B2
: 58 A4 74 EB
05BD 30 D: SEQUENCE {
05BF 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2
840 113549 1 1 5)
05CA 05 0: NULL
: }
05CC 30 B2: SEQUENCE {
05CF 31 B: SET {
05D1 30 9: SEQUENCE {
05D3 06 3: OBJECT IDENTIFIER
: countryName (2 5 4 6)
05D8 13 2: PrintableString 'US'
: }
: }
05DC 31 B: SET {
05DE 30 9: SEQUENCE {
05E0 06 3: OBJECT IDENTIFIER
: stateOrProvinceName (2 5
4 8)
05E5 13 2: PrintableString 'IL'
: }
: }
05E9 31 23: SET {
05EB 30 21: SEQUENCE {
05ED 06 3: OBJECT IDENTIFIER
: organizationName (2 5 4
10)
05F2 13 1A: PrintableString
'Information Security Corp.'
: }
: }
060E 31 11: SET {
0610 30 F: SEQUENCE {
0612 06 3: OBJECT IDENTIFIER
: localityName (2 5 4 7)
0617 13 8: PrintableString 'Oak Park'
: }
: }
0621 31 21: SET {
0623 30 1F: SEQUENCE {
0625 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2
5 4 11)
062A 13 18: PrintableString 'Research
and Development'
: }
: }
0644 31 14: SET {
0646 30 12: SEQUENCE {
0648 06 3: OBJECT IDENTIFIER
: commonName (2 5 4 3)
CSPid User’s Guide
90
064D 13 B: PrintableString 'ISC Test
CA'
: }
: }
065A 31 25: SET {
065C 30 23: SEQUENCE {
065E 06 9: OBJECT IDENTIFIER
: emailAddress (1 2 840
113549 1 9 1)
0669 16 16: IA5String
: }
: }
: }
0681 30 1E: SEQUENCE {
0683 17 D: UTCTime '061109000000Z'
0692 17 D: UTCTime '071109000000Z'
: }
06A1 30 B5: SEQUENCE {
06A4 31 B: SET {
06A6 30 9: SEQUENCE {
06A8 06 3: OBJECT IDENTIFIER
: countryName (2 5 4 6)
06AD 0C 2: UTF8String 'US'
: }
: }
06B1 31 29: SET {
06B3 30 27: SEQUENCE {
06B5 06 3: OBJECT IDENTIFIER
: organizationName (2 5 4
10)
06BA 0C 20: UTF8String 'Information
Security Corporation'
: }
: }
06DC 31 1E: SET {
06DE 30 1C: SEQUENCE {
06E0 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2
5 4 11)
06E5 0C 15: UTF8String 'R&D (no
assurance CA)'
: }
: }
06FC 31 12: SET {
06FE 30 10: SEQUENCE {
0700 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2
5 4 11)
0705 0C 9: UTF8String 'Test CA 1'
: }
: }
0710 31 18: SET {
0712 30 16: SEQUENCE {
0714 06 3: OBJECT IDENTIFIER
: commonName (2 5 4 3)
0719 0C F: UTF8String 'Test P12
Import'
: }
: }
072A 31 2D: SET {
072C 30 2B: SEQUENCE {
072E 06 9: OBJECT IDENTIFIER
CSPid User’s Guide
91
: emailAddress (1 2 840
113549 1 9 1)
0739 16 1E: IA5String
: }
: }
: }
0759 30 9F: SEQUENCE {
075C 30 D: SEQUENCE {
075E 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840
113549 1 1 1)
0769 05 0: NULL
: }
076B 03 8D: BIT STRING 0 unused bits,
encapsulates {
076F 30 89: SEQUENCE {
0772 02 81: INTEGER
: 00 CB 62 73 50 C9 5D 79 71 64 E9 D1 87 07 D3 88
: AB D6 A1 57 4D CF 34 C2 B8 04 E2 F4 3E EA 71 B4
: 1E 47 9F F3 3E 6C AD A6 9E 26 E4 F4 08 52 A1 E6
: 37 A7 02 B9 24 3E A3 47 5B 95 EB 8A 5F A4 C7 8B
: 79 DC BB D6 30 22 AB 10 B4 5E 05 1A 84 A7 4B 9F
: CF 8E 15 C8 6F 0B D4 75 63 A0 A6 C9 8C BD 96 6D
: 0B 9B 63 5C A3 2B 20 6F 55 98 27 88 91 49 1A E3
: D5 11 30 9E 09 3A 46 91 00 4F 9F 45 10 B5 5C 44
: [ Another 1 bytes skipped ]
07F6 02 3: INTEGER 65537
: }
: }
: }
07FB A3 20: [3] {
07FD 30 1E: SEQUENCE {
07FF 30 E: SEQUENCE {
0801 06 3: OBJECT IDENTIFIER
: keyUsage (2 5 29 15)
0806 01 1: BOOLEAN TRUE
0809 04 4: OCTET STRING, encapsulates
{
080B 03 2: BIT STRING 3 unused
bits
: '10111'B
: }
: }
080F 30 C: SEQUENCE {
0811 06 3: OBJECT IDENTIFIER
: basicConstraints (2 5 29
19)
0816 01 1: BOOLEAN TRUE
0819 04 2: OCTET STRING, encapsulates
{
081B 30 0: SEQUENCE {}
: }
: }
: }
: }
: }
081D 30 D: SEQUENCE {
081F 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840
113549 1 1 5)
082A 05 0: NULL
: }
CSPid User’s Guide
92
082C 03 101: BIT STRING 0 unused bits
: 12 18 19 5F 0D 48 F9 EA E7 46 07 2D E5 DB AE 8C
: 27 5A 94 DB 5C EC 11 86 F4 D0 56 D4 EE BB 6E 7F
: 5D D4 E0 86 30 F3 1F 36 4D 72 0D 70 A4 98 3F C7
: 00 EA 85 49 C0 0A A8 72 74 E3 FE 53 28 96 46 87
: 5B FA B0 14 FF 1C 59 17 F3 0D 15 A7 40 74 3F BB
: 42 B8 75 96 85 15 BD F0 8E 2B E1 BE 00 67 BB 77
: A4 AF B0 22 98 C0 98 F9 4B 3B F3 E1 E7 4C 58 B3
: 5F CB 98 A4 12 0F EA 86 6A 69 2D 47 A1 D0 61 D0
: [ Another 128 bytes skipped ]
: }
: }
: }
: }
: }
: }
2BBF A7 EB: [7] {
2BC2 A0 E8: [0] {
2BC5 30 E5: SEQUENCE {
2BC8 30 21: SEQUENCE {
2BCA 0C 1F: UTF8String 'CSPid P15 Stored Options
Object'
: }
2BEB 30 0: SEQUENCE {}
2BED A1 BD: [1] {
2BF0 30 BA: SEQUENCE {
2BF3 30 9: SEQUENCE {
2BF5 04 1: OCTET STRING
: 00
2BF8 04 4: OCTET STRING
: 09 01 05 82
: }
2BFE 30 6: SEQUENCE {
2C00 04 1: OCTET STRING
: 01
2C03 04 1: OCTET STRING
: 01
: }
2C06 30 24: SEQUENCE {
2C08 04 1: OCTET STRING
: 03
2C0B 04 1F: OCTET STRING 'CSPid P15 Stored
Options Object'
: }
2C2C 30 1A: SEQUENCE {
2C2E 04 2: OCTET STRING
: 01 02
2C32 04 14: OCTET STRING
: 31 CD 33 B7 F0 6E 12 7E 05 F3 9C BF 73 BC C5 5F
: F2 2C BA AB
: }
2C48 30 7: SEQUENCE {
2C4A 04 2: OCTET STRING
: 01 64
2C4E 04 1: OCTET STRING
: 01
: }
2C51 30 7: SEQUENCE {
2C53 04 2: OCTET STRING
: 01 65
2C57 04 1: OCTET STRING
: 00
: }
CSPid User’s Guide
93
2C5A 30 17: SEQUENCE {
2C5C 04 4: OCTET STRING
: 82 05 01 10
2C62 04 F: OCTET STRING, encapsulates {
2C64 17 D: UTCTime '061218153524Z'
: }
: }
2C73 30 38: SEQUENCE {
2C75 04 4: OCTET STRING
: 82 05 01 11
2C7B 04 30: OCTET STRING
: 51 AB B9 63 60 78 DE FB 5F C8 A0 3E 2F 9F E3 A9
: D1 0B C1 79 FF 24 57 71 A9 BA 4B 23 90 31 BB 86
: 92 73 13 3F D2 28 2B 59 D6 9B 1C 54 39 5E 0B 37
: }
: }
: }
: }
: }
: }
: }
: }
: }
: }
: }
: }
0931 04 40: OCTET STRING
: A8 43 47 83 D3 03 24 7D BA 25 99 31 FA E5 D0 00
: 3D 66 40 FA 96 76 10 58 2D B6 4A E4 2D FA 53 91
: 75 92 AA 55 17 1D CF 11 48 C0 3E 2B FB 75 00 31
: 4B 62 99 8D B7 DA 5E E5 40 40 39 E5 0F 18 86 8B
: }
: }
: }