csp id user's guide - information security corporation

CSPid

User’s Guide

Version 3.0.1

Simplifying the Management of Cryptographic Credentials and

Enabling Role-based PKI in the Enterprise

Mar 1, 2013

CSPid User’s Guide

2

Information in this document is subject to change without notice and does not represent a commitment on the part of

Information Security Corporation. The software described in this document is furnished under a license agreement

or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the

agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or

mechanical, including photocopying and recording, for any purpose other than the purchaser’s personal use without

the prior written permission of Information Security Corp.

CSPid software is commercial computer software and, together with any related documentation, is subject to the

restrictions on U.S. Government use as set forth below.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to

restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at

DFARS 52.227-7013. “Contractor/manufacturer” is Information Security Corporation, 1011 Lake Street, Suite 425,

Oak Park, IL 60301.

The U.S. International Traffic in Arms Regulations (ITARs) (22 CFR 125.03) prohibits the dissemination of certain

types of technical data to foreign nationals.

Protected by U.S. Patents No. 5,274,707, 5,373,560, and 5,699,431.

CSPid is a registered trademark of Information Security Corp. Other product and company names mentioned in this

document may be the trademarks of their respective owners.

The cryptographic functionality of CSPid is provided by CDK 7.0, ISC’s FIPS 140-2 Level 1compliant crypto-

graphic module. In addition, CSPid uses the following open source software packages redistributable under the terms

of the LGPL or other licenses:

FLTK, Version 1.1.7: Copyright© 1998-2005 Bill Spitzak and others.

CSPid is based in part on the work of the FLTK project (http://www.fltk.org). http://www.fltk.org/

PCSC, Version 1.01: Copyright© 2001 Dmitry Basko.

See the readme.txt file located in the pcsc subfolder of the installation for complete license information.

http://www.bds.dogma.net/pc_sc.htm

pugixml, version 1.2: Copyright© 2006-2012Arseny Kapoulkine.

See the pugixml.txt file located in the installation folder for complete license information.

http://www.pugixml.org

CSPid 3.0.1 User’s Guide, First Edition (Feb 2013)

©2007-13 Information Security Corp. All rights reserved.

Information Security Corporation

1011 Lake Street, Suite 425

Oak Park, IL 60301

Phone: +1 847 405-0500

Fax: +1 708 445-9705

Website: http://www.infoseccorp.com

E-mail: [email protected]

http://javaldap.sourceforge.net/

http://www.infoseccorp.com/

mailto:[email protected]


3

Table of Contents

1. Introduction ........................................................................................................................ 8

1.1. Overview ......................................................................................................................... 8

1.2. CSPid Architecture .......................................................................................................... 8

1.3. CSPid Events ................................................................................................................ 10

1.4. CSPid DAS Support ...................................................................................................... 11

1.4.1. Notes ..................................................................................................................... 12

2. Installation ........................................................................................................................ 13

2.1. Overview ....................................................................................................................... 13

2.2. System Requirements .................................................................................................. 14

2.3. Windows ....................................................................................................................... 15

2.4. UNIX ............................................................................................................................. 16

3. Configuration .................................................................................................................... 17

3.1. Using CSPid with a Web Browser ................................................................................. 17

3.1.1. CAPI-based Browsers ........................................................................................... 17

3.1.2. Netscape-based Browsers .................................................................................... 17

3.2. Enrollment with a Web Browser ................................................................................... 17

3.2.1. CAPI-based Browsers ........................................................................................... 17

3.2.2. Netscape-based Browsers .................................................................................... 17

3.2.3. Other ..................................................................................................................... 17

3.3. Using CSPid with Java Applications .............................................................................. 18

3.4. Using CSPid with Apache Tomcat ................................................................................. 19

3.5. The CSPid Configuration File ........................................................................................ 19

3.5.1. Windows ................................................................................................................ 19

3.5.2. UNIX ...................................................................................................................... 19

3.5.3. CSPid Events .......................................................................................................... 20

3.5.4. Controlling Certificate Visibility .............................................................................. 21

3.5.5. Updating the Configuration File ............................................................................. 21

3.5.6. Password Reset Agents ........................................................................................ 23

3.5.7. Configuration Options ............................................................................................ 23

4. Using CSPid ....................................................................................................................... 37

4.1. The CSPid Management Tool ........................................................................................ 37


4

4.1.1. Two Views of the Key Store .................................................................................. 38

4.1.2. Importing Credentials ............................................................................................ 39

4.1.3. Exporting Credentials ............................................................................................ 40

4.1.4. Deleting Credentials .............................................................................................. 40

4.1.5. Changing Your Password ...................................................................................... 41

4.1.6. Initiating Password Reset ..................................................................................... 42

4.1.7. Handling a User’s Password Reset Request (PRA only) ...................................... 43

4.1.8. Completing Password Reset ................................................................................. 43

4.1.9. Viewing Client Applications ................................................................................... 43

4.1.10. Registering With Applications ................................................................................ 44

4.1.11. Renewing Your Certificates ................................................................................... 44

4.1.12. The About Dialog ................................................................................................... 45

4.1.13. Terminating the Management Tool ....................................................................... 45

4.1.14. The Management Tool Command Line ................................................................. 45

4.2. The CSPid Command Line Tools .................................................................................. 48

4.2.1. cspid_cli ................................................................................................................. 48

4.2.2. cspid_ln (Windows Only) ....................................................................................... 53

4.3. The CSPid Audit Trail .................................................................................................... 55

4.3.1. Windows ................................................................................................................ 55

4.3.2. UNIX ...................................................................................................................... 55

5. CSPid Password and Key Management .......................................................................... 56

5.1. Password Management ................................................................................................ 56

5.1.1. Password History .................................................................................................. 56

5.1.2. Forced Password Change ..................................................................................... 56

5.1.3. Administrative Password Reset ............................................................................. 56

5.1.4. Password Timeout ................................................................................................. 57

5.1.5. Password Caching ................................................................................................ 57

5.2. Key Management ......................................................................................................... 58

5.2.1. Encrypted Memory ................................................................................................ 58

5.2.1.1. Encrypted Memory on Windows 2000 and Windows XP ...................................... 59

5.2.1.2. Encrypted Memory on Windows Vista and Windows 7 ......................................... 60

5.2.1.3. Encrypted Memory on UNIX-based Systems ........................................................ 60

5.2.2. Password Timeout Implementation Details ........................................................... 60

5.2.3. Key Management in the CSPid Management Tool ................................................ 61

6. CSPid Libraries .................................................................................................................. 62

6.1. The PKCS #11 Library .................................................................................................. 62

6.2. The Microsoft Windows Library .................................................................................... 62

7. Quality Assurance Issues ............................................................................................... 63

7.1. Testing Methodology .................................................................................................... 63

7.2. Known Issues ............................................................................................................... 64


5

7.2.1. Windows ................................................................................................................ 64

7.2.2. Netscape 4.x or higher w/o PSM ........................................................................... 64

7.2.3. Netscape 4.75 or higher w/PSM 1.4 ...................................................................... 64

7.2.4. Internet Explorer .................................................................................................... 64

7.2.5. Microsoft Outlook .................................................................................................. 64

8. Net-Centric Applications ................................................................................................. 65

8.1. Role-Based Authentication ........................................................................................... 65

8.2. Role-Based Encryption ................................................................................................. 66

8.3. Confidentiality within a Community of Interest .............................................................. 66

8.4. Expanded Storage and Enhanced Security for Private Keys ....................................... 67

8.5. Brokered Authentication - “Need-to-Know” Control Over Sensitive Resources............ 68

9. References ........................................................................................................................ 70

10. Appendix A: Default Configuration File ......................................................................... 72

11. Appendix B: Supported PKCS #11 Mechanisms .......................................................... 83

12. Appendix C: The PKCS #15 Key Storage Format ......................................................... 84

12.1. PKCS #15 ................................................................................................................. 84

12.2. Object Syntax ............................................................................................................ 84

12.3. Confidentiality ........................................................................................................... 84

12.4. Integrity ..................................................................................................................... 85

12.5. Initialization ............................................................................................................... 85

13. Appendix D: A Sample PKCS #15 Key Store ................................................................. 86


6

List of Figures

Figure 1: CSPid 3.0 Architecture Diagram ..................................................................................... 9

Figure 2: Modifying the java.security File ............................................................................ 18

Figure 3: Modifying Your Java Code ........................................................................................... 18

Figure 4: Modifying Java SSL/TLS Properties ............................................................................ 18

Figure 5: Modifying the Tomcat server.xml File ..................................................................... 19

Figure 6: The CSPid System Tray Menu ..................................................................................... 37

Figure 7: The CSPid Manager’s Main Window (Standard View) ................................................. 38

Figure 8: The CSPid Manager’s Main Window (Advanced View) ................................................ 38

Figure 9: Importing a File ............................................................................................................ 39

Figure 10: Exporting a File .......................................................................................................... 40

Figure 11: Confirming Certificate Deletion .................................................................................. 40

Figure 12: Confirming Private Key Deletion ................................................................................ 41

Figure 13: Changing Your CSPid Password ................................................................................ 41

Figure 14: Viewing Registered Applications ............................................................................... 44

Figure 15: Viewing the About Dialog ........................................................................................... 45

Figure 16: The cspid_cli Interface ............................................................................................... 49

Figure 17: The cspid_ln Interface ............................................................................................... 54

Figure 18: Watch Officers Sign Messages with Shared Role Key on DAS Server ..................... 65

Figure 19: Commander Decrypts Documents Using Role Key on DAS Server .......................... 66

Figure 20: CoI Members Decrypt Documents Using CoI Key on DAS Server ............................ 67

Figure 21: Officer Retains Access to His Entire Key History ...................................................... 68

Figure 22: A DAS Server Used to Impose Strong "Need-to-Know" Controls over Sensitive Resources ................................................................................................................................... 68

Figure 23: A Sample CSPid Configuration File with Default Settings .......................................... 81


7

List of Tables

Table 1: CSPid Events ................................................................................................................. 11

Table 2: System Requirements ................................................................................................... 14

Table 3: CSP Options ................................................................................................................. 25

Table 4: Log Options ................................................................................................................... 26

Table 5: Password Options ......................................................................................................... 30

Table 6: Netscape/Mozilla Options ............................................................................................. 31

Table 7: Import/Export Options ................................................................................................... 32

Table 8: Event Handling Options ................................................................................................ 34

Table 9: DAS Options ................................................................................................................. 35

Table 10: Configuration File Update Options .............................................................................. 36

Table 11: Management Tool Command Line Options ................................................................ 47

Table 12: cspid_cli Options ......................................................................................................... 53

Table 13: cspid_ln Options ......................................................................................................... 55

Table 14: Test Configurations ..................................................................................................... 63


8

1. Introduction

1.1. Overview

Abstract: This document describes a platform-agnostic software product that acts as a universal key

store as well as a cryptographic service provider. Accessed via Microsoft CAPI, or via its industry

standard PKCS #11 interface, CSPid ensures that authorized security-enabled applications have instant

access to the user’s latest certificates and private keys without the need to synchronize or replicate

credentials among those applications. Using platform-independent PKCS #15 key stores, CSPid simplifies

the migration of credentials between workstations with different operating systems. After presenting a

technical overview of the product, this document covers the installation, administration, and use of CSPid.

This document describes a software package that manages a user’s X.509 credentials, securely protecting

them while making them available upon demand (with appropriate authentication) to any security-enabled

application, and allowing them to be easily migrated between workstations in an operating system-

independent manner.

CSPid is a virtual smartcard that maintains a central repository for private keys and X.509 certificates on

behalf of its owner. It provides a secure environment for cryptographic operations that applications can

access via Java, PKCS #11, or Microsoft CAPI.

The CSPid system:

1. provides a single OS-independent credential store that may be shared by all security-enabled

applications on the user’s system

2. provides superior protection for private keys and overcomes password change/reset issues with

Windows, Internet Explorer, and Mozilla

3. simplifies enterprise-wide credential management: users need not replicate keys among

applications, and may effortlessly migrate credentials between workstations

4. provides administrative control over security policy settings and can be augmented to support key

escrow, key recovery, and/or password reset functions

5. provides event hooking enabling the execution of external programs based on events

6. reduces help desk costs and PKI training requirements

A major step forward in credential management, CSPid’s programming interfaces allows administrators to

build custom, nearly user-transparent PKI enrollment, key rollover, credential backup, and other

management tools that dramatically simplify the PKI experience for an organization’s end-users.

1.2. CSPid Architecture

The CSPid

system consists of four components:

a credential store: an encrypted file stored by the system on a local fixed disk, on removable

media, or on a remote network drive

a PKCS #11 library providing access to the credential store and certain private key operations


9

a smart card minidriver that is used by the Microsoft Windows Base Smart Card Cryptographic

Service Provider (CSP) to provide access to the integrated PKCS #11 library to Microsoft

CryptoAPI-enabled applications (such as Internet Explorer, Microsoft Outlook, and Microsoft

Outlook Express)

a set of tools that permit the end-user to easily configure and maintain the CSPid system

AdministratorEnd-User

PKCS#11-Enabled Application

(Netscape, Notes, Mozilla Firefox/Thunderbird,

SecretAgent, SpyProof!, any Java application, etc.)

CAPI/CNG-Enabled

Windows Application

(Microsoft Outlook, Internet Explorer,

EFS, SecretAgent, etc.)

CSPid

Virtual Smartcard

CAPI/CNG

one configurable PKCS#15 key store per user

(future extensibility)

local or network-attached, file-based key store

remote HTTPS-based key store

(future enhancement)

CSPid

Manager

(command line and

graphical interfaces)

Base CSP

Smart Card

Minidriver

PKCS #11 Library

CSPid

Events

(handlers for

enrollment,

renewal,

program

registry,

certificate

retrieval, etc.)

DAS Comm.

Module

PKCS #15 Key Store

ManagerISC CDK 7.0

Key Stores

DAS servers to support

role-based operations

Smart Card Authentication

(optional)

signature server

decryption server

Figure 1: CSPid

3.0 Architecture Diagram

As illustrated in the above diagram, a PKCS #11 library (based on ISC’s FIPS-validated CDK 7.0), a

PKCS #15 key store manager, a smart card minidriver, and the CSPid management tools represent the core

components of the CSPid system. These tools and the provided APIs allow users to manage their key

stores and easily integrate CSPid into existing applications. As of version 2.0, the DAS communication

module allows CSPid to provide all applications (including Outlook and Thunderbird S/MIME) high-

assurance "role-based" signature and decryption operations that rely on remote private keys, possibly

stored on an HSM (requires DAS 1.8 or above).


10

1.3. CSPid Events

CSPid exposes a portion of its programmable “event model interface” through its configuration file. This

interface, fully described in Chapter 3, allows an administrator to manage an end-user’s system and

credentials by means of custom scripts that are automatically executed in response to certain trigger

events. Among the events for which such custom “handlers” can be installed are:

initial PKI enrollment or key import

certificate renewal/key rollover

certificate import

manual selection of the “Register with Applications” command

manual selection of the “Renew My Certificates” command

manual selection of the “Reset Password” command

Event Name Triggers Configuration Options

Start up The CSPid Manager starts and the user

successfully authenticates.

The CSPid Manager will execute these commands allowing

the import/removal of DAS or issuer certificates or other

operations that need to occur daily.

Enrollment The CSPid Manager starts and no

credentials are found.

CSPid provides three choices for handling this event:

transfer credentials from the CAPI “personal”

store

run one or more commands

open a URL

The options are tried in the order listed above. If there are

still no private key objects present after running the option

the next option is attempted. If there are still no private key

objects present after running all the options the Renewal

event is run.

Renewal The CSPid Manager starts and all of the

existing signing credentials, or all of the

existing encrypting credentials, will be

invalid within a specified number of

days.

The user selects the Renew My

Certificates menu command.

cspid_ui.exe --renew is executed.

Enrollment fails to create a private key

object.

CSPid supports a single trigger setting:

lead time prior to expiration

and provides two event handling options:

open a URL


New Signing

Credential

A signing certificate is imported and a

matching private key is found in CSPid.

CSPid creates necessary entries in the user’s CAPI

“personal” store; if the certificate was imported from a

third-party application, CSPid can run one or more external

commands.

New

Encryption

Credential

An encrypting certificate is imported

and a matching private key is found in

CSPid.


“personal” store; if the certificate is imported from a third-

party application, CSPid can run one or more external


11

commands.

New DAS

Signing

Credential

A DAS-enabled signing certificate is

imported and DAS support is enabled.


“personal” store; if the certificate was imported from a

third-party application, CSPid can run one or more external

commands.

New DAS

Encryption

Credential

A DAS-enabled encrypting certificate is

imported and DAS support is enabled.


“personal” store; if the certificate is imported from a third-

party application, CSPid can run one or more external

commands.

Register

with

Applications

The user selects the Register with

Applications menu command.

The user imports a recently issued

PKCS #12 file and

P12IMPORTREGAPPS is non-zero.

cspid_ui.exe --register is executed.

In addition to configuring the CAPI store and Netscape-

based applications, CSPid can run one or more external

commands.

Reset

Password

The user selected the Reset Password

menu command or clicks the Forgot

Password? link in the password dialog.

CSPid provides three choices for handling this event:

e-mail the password reset request file to one or

more administrators using the default mailer


allow the user to save the file to a location of

their choice

An optional message can be displayed to the user before

any of these occur.

Table 1: CSPid

Events

1.4. CSPid DAS Support

CSPid versions 1.2 and above includes optional DAS support. DAS is a server-side component that

provides role-based capabilities enabling users to either sign for a role or decrypt anything encrypted for a

particular role. When C_Decrypt is called CSPid communicates with a DAS server in order to unwrap the

symmetric key which is then rewrapped for the specific user. CSPid then uses the user’s private key to

unwrap the response from the server. When C_Sign is called CSPid communicates with a DAS server

which performs the signature operation. Support for DAS in CSPid is accomplished by

enabling DAS operations via the configuration file

importing one or more DAS CoI certificates into CSPid

With DAS enabled, CSPid will assert to applications that the private key for each DAS CoI certificate

resides locally and can be used via CSPid. To do this, CSPid creates a temporary private key object for

each DAS CoI certificate when C_Initialize or C_CreateObject is called. Each temporary private key has

a vendor defined attribute enabling CSPid to differentiate real private keys from DAS CoI private keys

when C_Sign or C_Decrypt are called. These objects are not permanent and will disappear if DAS is not

enabled in the configuration file.


12

When an application asks CSPid to decrypt or sign using one of these temporary private key objects, CSPid

interacts with a DAS server to perform the operation only if the user is a member of the community. For

decrypt operations membership is checked using the encryption certificate provided to the DAS server.

DAS operations require SSL/TLS client authentication and, for unwrap requests, an encryption certificate

(see the DAS documentation for a complete description of a DAS transaction). CSPid automatically

selects the best certificates for both authentication and rewrap purposes using the notBefore date and, if

specified in the configuration, preferred issuer information. The private keys for the selected

certificates may reside either within CSPid

itself (as software keys) or on a hardware token (e.g.,

CAC) specified in the configuration file. In the latter scenario CSPid

can store only the DAS CoI

certificates and no private keys are required to reside in CSPid

.

Inclusion of DAS support in CSPid allows any application to be DAS enabled including Microsoft

Outlook and Mozilla Thunderbird. This allows users to send S/MIME encrypted and signed e-mail in a

role based fashion rather than a user based fashion. Only members of a particular role will be able to

decrypt the e-mail messages and only members of the role will be able to sign e-mail messages as the

role. Chapter 8 Net-Centric Applications provides more information on this capability and its uses.

1.4.1. Notes

If a DAS server reports that a user is not a member of the group, the COI certificate is removed

from CSPid and the user is told to try the operation again.

CSPid automatically picks the certificate for DAS authentication and group membership for the

user. This can be controlled using the configuration file options: DAS_SIGN_ISSUER_ID,

DAS_ENC_ISSUER_ID, DAS_ENC_LABEL_ID, DAS_SIGN_LABEL_ID

Specific events related to the import of DAS COI certificates are available that mimic the events

that are associated with the import of actual credentials. These options are:

NEWDASSIGNCERTCMD, NEWDASENCCERTCMD


13

2. Installation

2.1. Overview

CSPid is available on a variety of platforms and the installation process is platform-dependent. The

following files are typically installed:

the CSPid management tool (cspid_ui.exe or cspid_ui) and, if available, its translation files

(*.qm)

the CSPid command line tool (cspid_cli.exe or cspid_cli)

the CSPid PKCS #11 Library (cspid.dll or libcspid.so)

the modutil component of the Mozilla NSS toolset (nss3.9)

a CSPid configuration file (cspid.cfg) – optional

the CSPid User’s Guide (cspid.pdf) – optional

On Windows systems the following additional items are installed:

the Microsoft Smart Card Base Cryptographic Service Provider (if not already installed)

the CSPid Smart Card Minidriver (cspid.dll)

the CSPid Virtual Smart Card Reader Driver (cspidrdr.sys)

shortcuts in the Windows Start Menu for viewing this User’s Guide and starting the CSPid

management tool

a Java PKCS #11 configuration file (java_pkcs11.cfg)

the CSPid Lotus Notes command line configuration tool (cspid_ln.exe)

a Firefox and Thunderbird add-on that enables them to use CSPid

When run within a Citrix or remote desktop environment CAPI/CNG applications (Outlook, Internet

Explorer, etc.) may fail to function properly unless the CSPid smartcard reader device driver is installed on

the end point device (i.e. the client device) and, in the Citrix case, smartcard forwarding is enabled. Please

refer to the Citrix documentation. A special, driver only, package is available for installation on end

points. Alternatively, the Citrix smart card hook may be disabled. Please see the Using CSPid within a

Citrix VDI Environment for details.


14

2.2. System Requirements

The following table lists the minimum version numbers for several of the most common applications that

one might wish to use with CSPid:

Supported Browsers

Internet Explorer 4 or higher

Netscape 4.75 or higher

Mozilla 1.0 or higher

Firefox 1.0 or higher

Java Java 1.5 and higher w/PKCS #11 support (see Java PKCS #11)

Operating Systems

Windows XP SP 1 or higher

Windows Server 2003 (x86 & x64)

Windows Server 2008 (x86 & x64)

Windows Vista (x86 & x64)

Windows 7 (x86 & x64)

Windows 8 (x86 & x64)

Solaris 8 or higher for SPARC

RedHat Enterprise Linux 4 or higher for x86

Table 2: System Requirements


15

2.3. Windows

CSPid for Windows is distributed as standard MSI installation package that provides a wizard for

individual installation as well as supporting automated installation mechanisms. This setup program first

installs the core CSPid components; it will then install the translation files, configuration file, and user’s

guide if they are present in the same folder as the MSI file. The following MSI command line parameters

are available (options may be combined):

Option Values Notes

CONFIGFILELOC <path to cspid.cfg> To specify the location of the

configuration file to install

execute:

msiexec.exe /I cspid.msi

CONFIGFILELOC=<path to cspid.cfg>

ASSOCP12 0 (no)

1 (yes)

To have the installation associate

.p12 and .pfx files with the CSPid

Manager execute:


ASSOCP12=1

NOCSPIDMGR 0 (no)

1 (auto-start disabled)

2 (1 + no shortcuts)

To prevent the CSPid Manager from

automatically starting when the

user logs into Windows:


NOCSPIDMGR=1

Setting NOCSPIDMGR=2 will

additionally prevent the user’s

guide and CSPid Manager short cuts

from being created.

NOVCRT 0 (no)

1 (yes)

To prevent the installation of the

Visual C++ Runtime Libraries

(which sometimes conflict with

existing installed versions)

execute:

msiexec.exe /I cspid.msi NOVCRT=1

To further customize CSPid, open the cspid.cfg file in an editor prior to installation, and modify the

options settings as desired. (See section 3.5 for more information.) Be sure to save the modified

configuration file into the same folder as the cspid.msi file. Then install the CSPid system by executing

cspid.msi and following the prompts.

After installation on a Windows system, the CSPid management tool (see section 4.1) will automatically

start up and run in the system tray each time the user logs in unless NOCSPIDMGR is used. The first time

the tool is executed it will ask the user to set the CSPid password if necessary (unless AUTO_INIT=0 is

specified in the configuration file).


16

2.4. UNIX

CSPid for UNIX is distributed as a single compressed tar ball (cspid.x.y.z.os.processor.tar.gz) that

must be decompressed and untar’d. The resulting cspid folder contains an INSTALL file that provides

platform-specific installation tips. Typically all that is required is to move the cspid folder to /opt/cspid

and to edit the cspid.cfg file.

To customize the way CSPid behaves, modify the options settings in cspid.cfg as desired. (See section

3.5 for more information.) libcspid.so and all associated utilities read their program configuration data

from cspid.cfg location in one of the following folders (in the order listed): /etc, /usr/etc,

/opt/cspid or the folder specified in the CSPidInstDir environment variable, if one is set. If the file is

located in /etc or /usr/etc it is considered secure allowing password reset and other sensitive settings to

be enabled.

After installation, all users should execute the following command to register CSPid with Netscape-based

PKCS #11 applications on their system:

/opt/cspid/cspid_cli –r

Alternatively users can use the included Firefox and Thunderbird extension (cspid.xpi) to add CSPid

support.

In the event that the Renew My Certificates feature (see section 4.1.11) is not functioning, users may need

to set a BROWSER environment variable that points to the web browser to use for enrollment.

Ideally /opt/cspid/cspid_ui will be configured to automatically start when each user logs into their

desktop.


17

3. Configuration

3.1. Using CSPid with a Web Browser

3.1.1. CAPI-based Browsers

When CSPid is installed, the certificates in its key store are copied into the appropriate CAPI stores (and

linked to the private keys stored in CSPid) and are therefore available to any Microsoft CryptoAPI-based

application (such as Internet Explorer and Outlook). Users will be prompted to enter a smart card PIN

(their CSPid password) once per application instance.

3.1.2. Netscape-based Browsers

CSPid must be registered with Netscape-based programs before it can be used by them. On Windows, a

Firefox and Thunderbird compatible Add-on is installed on Windows that automatically performs the

required task. On UNIX, users may use the CSPid management tool’s Registering with Applications

command (see section 4.1.10; or use the appropriate CSPid Command Line option as described in section

4.2) to configure newly created Netscape-based profiles.

To manually register CSPid with a Netscape-based product, just add cspid.dll or libcspid.so to its list

of supported PKCS #11 tokens by opening the product’s Preferences dialog and modifying the “Security

Devices” or “Advanced” properties.

Once CSPid has been registered, ISC CSPid should appear in its list of available cryptographic tokens and

users will be prompted for the ISC CSPid password as needed.

3.2. Enrollment with a Web Browser

3.2.1. CAPI-based Browsers

To ensure that CSPid generates and stores users’ private keys during PKI enrollment, users should

explicitly tell the enrollment application to use the Microsoft Base Smart Card Crypto Provider as its

cryptographic service provider (CSP). When Internet Explorer, for example, is configured in this way and

used for PKI enrollment, it will use CSPid to generate and store private keys and to construct certificate

requests. Alternatively, the certificate authority may be capable of controlling the CSP that is used and

could be configured to only use the Microsoft Base Smart Card Crypto Provider.

3.2.2. Netscape-based Browsers

To ensure that CSPid generates and stores users’ private keys during PKI enrollment, users must select

ISC CSPid as the cryptographic token to use when prompted by the browser.

3.2.3. Other

If scripting enrollment, administrators may use CSPid’s command line utility (cspid_cli) to generate

suitable certificate requests. The cspid_cli includes a --gen-p10 command that will create a PKCS#10


18

certificate request whose private key resides in CSPid. The request is suitable for uploading to a CA using

the --post option to submit the request or using any other means to submit the request. The issued

certificate may be picked up by the user using either Internet Explorer, Firefox, or simply by importing

the issued certificate into CSPid.

3.3. Using CSPid with Java Applications

On Windows, recent versions of Java include support for Microsoft CAPI as a keystore. On such systems,

Java, like other CAPI-based applications, requires no additional configuration to work with CSPid.

Otherwise, some manual configuration of a system is required to use CSPid with Java applications.1 Since

complete instructions are available from Sun2, only an outline of the required procedures is provided in

this section.

To make CSPid available to all Java programs on a system, add a line to the java.security file that

references the Java PKCS #11 configuration file, java_pkcs11.cfg, placed in the CSPid folder during

installation. A sample is provided below:

security.provider.7=sun.security.pkcs11.SunPKCS11 c:/Program Files/CSPid/java_pkcs11.cfg

Figure 2: Modifying the java.security File

To make CSPid available to a Java program programmatically, insert the following lines:

String configName = "C:/Program Files/CSPid/java_pkcs11.cfg";

Provider p = new sun.security.pkcs11.SunPKCS11(configName);

Security.addProvider(p);

KeyStore ks = KeyStore.getInstance("PKCS11");

// PIN is the CSPid login password.

ks.load(null, PIN.toCharArray());

Figure 3: Modifying Your Java Code

To use CSPid for client authentication in SSL/TLS connections in existing programs, users may have to

set the following system properties with the –D option. See Java SSL/TLS for more information.

javax.net.ssl.keyStoreType=PKCS11

javax.net.ssl.keyStorePassword=<password>

javax.net.ssl.keyStore=NONE

javax.net.ssl.keyStoreProvider=SunPKCS11-CSPid

Figure 4: Modifying Java SSL/TLS Properties

1 Java 2 version 1.5 or above is required for native PKCS #11 support through the JDK; earlier versions of Java might be able to access CSPid on

certain platforms, but this use is not supported by ISC.

2 See http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html

http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html


19

A sample Java program, cspid.java, that illustrates how CSPid may be used programmatically from

within Java code is included in the installation.

3.4. Using CSPid with Apache Tomcat

To use CSPid as the TLS key container for Apache Tomcat, the java.security file must be modified as

indicated in Figure 2 above, and the server.xml file located in

<Tomcat Home>/conf/server.xml must be changed so that it looks roughly as follows:

<Connector port="443" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"

keystoreType="PKCS11" keystorePass="PASSWORD" />

Figure 5: Modifying the Tomcat server.xml File

With these settings CSPid will be used as the server’s keystore and trust keystore.

If TLS client authentication is enabled by setting clientAuth=“true” in the server.xml file, only client

certificates subordinate to a root certificate stored in CSPid will be accepted.

3.5. The CSPid Configuration File

CSPid

‘s operating characteristics can be controlled by modifying the cspid.cfg file before or after

installation. If no cspid.cfg file is found, CSPid will operate with its default internal settings reproduced

in Appendix A: Default Configuration File.

Starting with version 3.0.0 the cspid.cfg file can be created using ISC’s central policy management tool.

This tool allows you to create both the initial policy and update policies to be placed on a server and

downloaded by CSPid as described later in this document.

3.5.1. Windows

On Windows, the active configuration file is the one cspid.dll finds in its own folder upon startup. If

the configuration file loaded resides in the installation folder (as found in the registry) it is considered

secure enabling the use of sensitive options like password recovery agents.

On Windows systems, CSPid expands the JAVA_HOME and CSPID_HOME environment variables with

appropriate values when they are used in configuration file event handlers (REGAPPSCMD,

ENROLLCMD, etc.).

3.5.2. UNIX

On UNIX, libcspid.so searches the following directories, in order, for cspid.cfg: /etc, /usr/etc,

/opt/cspid, the directory specified by the CSPidInstDir environment variable. Searching these system

directories should ensure that only a configuration file installed by an administrator is used. Configuration


20

files in /etc and /usr/etc are considered secure enabling the use of sensitive options like password

reset agents.

3.5.3. CSPid

Events

Before delving into the details of CSPid Events (see Table 8: Event Handling Options), consider for a

moment the following reasonable scenario: suppose that an administrator wants to facilitate PKI

enrollment and application configuration for end users by performing the following, fairly typical, tasks:

1. have a user who has no existing credentials obtain a signing certificate from the enterprise CA

using his default web browser,

2. use the signing certificate just obtained to download via client-authenticated SSL a PKCS#12

PDU containing (a possibly escrowed) encryption key,

3. import the PKCS#12 PDU into CSPid and then delete it,

4. publish the user’s new credentials to the Exchange Global Address List (GAL), and

5. configure Microsoft Outlook to use the new credentials for S/MIME.

Employing CSPid event handlers (along with cmu, ISC’s Credential Management Utility), an administrator

can accomplish these five steps by:

i. adding the following line to the cspid.cfg configuration file to cause each occurrence of an

Enrollment event (an event triggered by the user starting CSPid with no credentials in their active

key store) to be handled by opening the specified webpage in the user’s default browser:

ENROLLURL=http://ca1.yourorganization.com/enroll

ii. adding the following five lines to the cspid.cfg to handle occurrences of the New Signing

Credential event:

NEWSIGCERTCMD= “C:\CMU\cmu.exe” d “%TEMP%\temp.p12”

NEWSIGCERTCMD= “C:\Program Files\CSPid\cspid_ui.exe” -i -f "%TEMP%\temp.p12"

NEWSIGCERTCMD= del “%TEMP%\temp.p12”

NEWSIGCERTCMD= “C:\CMU\cmu.exe” p

NEWSIGCERTCMD= “C:\CMU\cmu.exe” m

This handler, whose execution is triggered by the retrieval of a new signing certificate (possibly caused

by the completion of the enrollment process handled in step i), invokes cmu several times to download the

user’s escrowed encrypting PKCS #12 file, install it into their key store, publish the new credentials to

GAL, and configure their default MAPI provider.

http://ca1.yourorganization.com/enroll


21

3.5.4. Controlling Certificate Visibility

By default, all certificates stored within CSPid are visible to all applications. However, it is possible to

hide certain certificates from certain applications if this is desired or required for security reasons. CSPid

accomplishes this by allowing an application blacklist (or whitelist) to be specified on a per-certificate

basis in the CSPid key store. Certificate black-/whitelists can be set either during certificate import using

the cspid_cli program, or edited at a later time using the CSPid Manager. These lists may consist of

actual application names or admin-defined tags that refer to applications specified in the configuration

file. (The tag method is preferred as it enables the lists to be changed without modifying the CSPid key

store.) The special tag value CAPI represents the Microsoft Windows CAPI store and all applications that

use it.

For example, to prevent Firefox and Thunderbird from using a particular certificate, set its blacklist to

some admin-defined tag, say MOZILLA, and add a corresponding BL-prefixed tag specifying the comma-

delimited list of proscribed applications to the configuration file:

BLMOZILLA=firefox.exe,thunderbird.exe

Similarly, to allow only CAPI-enabled applications to see a particular certificate, set its whitelist to an

admin-defined tag, say CAPIONLY, and add a corresponding WL-prefixed tag specifying CAPI to the

configuration file:

WLCAPIONLY=CAPI

Filtering can also be performed based on the CSPid library name in those situations in which application

names are not unique (as is typically the case for Java-based applications). In these situations, a copy of

cspid.dll can be made with a new name, an application is configured to use the newly-named library,

and this new library name is used in a whitelist or blacklist.

3.5.5. Updating the Configuration File

As described above, an initial configuration file is usually installed on each system on which the CSPid

software is installed. To facilitate the subsequent modification of configuration file settings, CSPid

supports the following web-based update mechanism: an updated configuration file is placed on a web

server (IIS, Apache, etc.) configured with SSL server authentication. When CSPid connects to the server it

checks the validity of the server’s certificate and, if it is valid, CSPid attempts to retrieve an updated

configuration file to use in place of the initial configuration file. Updates may be performed manually

using the cspid_cli tool or set to run periodically using the CSPid Manager. The Windows Task

Scheduler (or UNIX cron command) can also be used to run cspid_cli on a scheduled basis.

By default, the CSPid Manager checks for updated files only when it starts, so if a user never logs out

updates will not occur. To get around this and check for updates on a regular basis, use the

CFGUPDATEPERIOD setting.

Updates are cached locally in an encrypted file in the folder specified by the CFGUPDATELOCALSTORE

setting. The local cache is used if it is valid and will completely override all settings enabling

administrators to update the password reset agents, trust anchors and all other options from a central

location.

When an update occurs, CSPid uses DN information – first the user’s, if allowed and determinable, then

the CFGUPDATEDN value in the base configuration file – to locate update files on the server. The DN is


22

converted to lowercase and successively truncated of leading RDNs until either an update is found or the

DN is empty. For example, if the configuration file contains:

CFGUPDATEURL=https://www.infoseccorp.com/isc_policies

CFGUPDATEDN=OU=Sales, O=ISC, C=US

CSPid would check the following locations:

https://www.infoseccorp.com/isc_policies/ou=sales/o=isc/c=us/cspid_win.cfg

https://www.infoseccorp.com/isc_policies/o=isc/c=us/cspid_win.cfg

https://www.infoseccorp.com/isc_policies/c=us/cspid_win.cfg

NOTE: UNIX configuration update files are named cspid_unix.cfg. Windows configuration

update files are named cspid_win.cfg.

If the configuration file enables the use of the user’s DN for updates (CFGUPDATEUSEUSERDN=1) then CSPid

will attempt to determine the user’s DN (by locating the most recently issued certificate with a private key

in CSPid itself using the DAS configuration options for AKI, Issuer DN, and Label, or, failing that,

finding the most recently issued certificate with a private key in a configured PKCS #11 device with the

same algorithm). The first update always uses the configuration file’s DN because the software doesn’t

know the user’s DN at that point.

If an invalid configuration file is downloaded or if the local cache is corrupt, it will be ignored and the

installed configuration file will be used. Updates and the ancillary information are stored in the location

specified by CFGUPDATELOCALSTORE. This is usually located in a subfolder of the path containing the

PKCS #15 PDU (%APPDATA%\CSPid\policies on Windows or $HOME/.cspid/policies on UNIX), but

can be independently specified. Deleting the items in this folder will cause CSPid to revert to the installed

initial configuration file and reset the update process.

This mechanism enables administrators to create policies at the organization, group, or individual level.

3.5.5.1. Creating a machine configuration file enabling updates

The following items must be present in the machine configuration file in order to enable the use of

updated configuration files:

CFGUPDATEURL

CFGUPDATEDN

CFGUPDATEPERIOD

CFGUPDATETRUSTMODEL

The CFGUPDATETRUSTMODEL value indicates how the client should trust the web server holding updated

configuration files. Setting it to 0 will use Microsoft Windows’ built in certificate validation routines and

trust anchors and is recommended. For UNIX systems or to restrict the list of trusted certificates you can

set the trust model to 1 or 2. Setting this value to 1 requires that a base64-encoded X.509 trust anchor be

specified in the CFGUPDATETRUSTANCHOR option. Only server certificates whose certificate path ends with


23

this certificate will be trusted for configuration updates. Setting the value to 2 requires that a subject DN

be specified in the CFGUPDATETRUSTDN option. Only server certificates whose certificate path ends in a

certificate whose issuer DN matches this value will be trusted for configuration updates.

3.5.5.2. Creating an updated configuration file

An administrator should begin with the current configuration file so that the update information above

remains the same. They can then modify the file as necessary and save it. The updated file must be named

properly (either cspid_win.cfg or cspid_unix.cfg) and placed in the correct location on the update

server based on the DN for which the configuration file applies.

An experimental central administration client from ISC may be available to help create and maintain

these files. Please contact ISC for up to date information and instructions.

3.5.5.3. Running a manual update

A user can initiate an update by using the cspid_cli --cfg-update command. This will force the

application to attempt to download and use an updated configuration file.

3.5.6. Password Reset Agents

Password reset agents are specified in the configuration file by setting RSTPWAGENTS to a properly

formatted base64-encoded PKCS#7 PDU. A properly formatted base64-encoded PKCS#7 PDU, in this

case means one whose lines do not exceed 100 characters. When specifying this file as RSTPWAGENTS

you must precede each line with an equal sign. The command line option “p7tob64” will output a

properly formatted string given PKCS #7 input file. To update the agents you must update the

configuration file as described in Updating the Configuration File.

3.5.7. Configuration Options

Configuration options are detailed in the following tables:


24

Option Values Notes

P15URL The path and filename

to use for the PKCS

#15 PDU.

On Windows use UNC paths (not

mapped network drive letters)

to specify the location of the

PDU.

USE_OLD_CHANGE_NOTIFY_METHOD

(Windows Only)

Set to 1 to use the

original method for

detecting changes in

the PDU file on

Windows.

Versions 2.1 and above use

Windows folder change

notifications to detect changes

to the PDU file. This improves

performance and reduces network

traffic. If set to 1 CSPid will

load the PDU and compare to its

cached copy.

AUTO_INIT 0 (no)

1 (yes)

If set 0 and the PDU has not

been created the system tray

application will run in reduced

functionality mode. If set to 1

and the PDU has not been

created the system tray

application will prompt the

user to create a password and

initialize the PDU.

VIRTUALIZE_GP_ISSUERS

(Windows Only)

0 (no)

1 (yes)

If set to 1, all issuer

certificates found in the

Windows Group Policy

certificate stores will be made

visible in CSPid. This enables

Netscape-based applications to

use these certificates while

not actually storing copies of

them in the PDU.

READONLY 0 (no)

1 (yes)

If set to 1, only cspid_cli.exe

and cspid_ui.exe (the CSPid

system tray application) will

be allowed to modify the key

store.

ENFORCE_CKA_EXTRACTABLE 0 (no)

1 (yes)

If set to 1, keys created or

imported with CKA_EXPORTABLE

set to FALSE cannot be

exported. Note, older versions

of CSPid marked all imported

keys as CKA_EXPORTABLE=FALSE so

setting this value to 1 may

severely impact existing

deployments.

ECCDHSS_EXTRACTABLE 0 (no)

1 (yes)

If set to 1, the resulting

value of an ECDH computation

can be exported (extracted)

from the CSPid PKCS#11 library.

In most cases this value should

be 0.

BL<TAG> A semi-colon delimited

list of programs that

cannot see

certificates marked

with TAG. The special

value CAPI prevents

When certificates are imported

or generated with the cspid_cli

program the --scope-blacklist

option can be used to tag the

certificate with a text value.

The tag value is prepended with


25

the certificate from

being available to

CAPI. If the program

exe is not readily

available, you can

configure the program

to use a differently

named version of the

cspid library

(orap11.dll for

example) and blacklist

the library name.

BL and the list of banned

applications is determined by

the configuration file. Any

application that appears in the

blacklist will not be aware

that the certificate is

installed.

BLNOTES=nlnotes.exe

WL<TAG> A semi-colon delimited

list of executable or

library names that can

see the certificate

(programs not on the

list cannot see the

certificate). The

special value CAPI

allows the certificate

to be visible to any

CAPI-based

application. If the

program exe is not

readily available, you

can configure the

program to use a

differently named

version of the cspid

library (orap11.dll

for example) and

blacklist the library

name.

When certificates are imported

or generated with the cspid_cli

program the --scope-whitelist

option can be used to tag the

certificate with a text value.

The tag value is prepended with

WL and the list of allowed

applications is determined by

the configuration file. Only

applications that appear in the

whitelist can see certificates

marked in this way.

WLCAPIONLY=CAPI

WLNOTES=nlnotes.exe

Table 3: CSP Options


26

Option Values Notes

LOGLEVEL 0 (critical information)

1 (information)

2 (debug)

Critical information is always

logged to the system log in

addition to any specified log

file. Debug and information log

entries are only logged to the log

file if specified.

LOGFILE The path and filename to use for

the log file.

None.

LOGFILEDAILY 0 (no)

1 (yes)

If set to 1 the LOGFILE name will

be prepended with the day it was

created. This will reduce the size

of the log files.

APPLOGFILE The path and filename to use for

the “registered” applications

list.

Every application that calls or

causes to be called the

C_Initialize() function in

cspid.dll or libcspid.so is stored

in this file and displayed when

the user selects “Show Registered

Applications”.

Table 4: Log Options

Option Values Notes

PWREQNUM 0 (no)

1 (yes)

If set to 1, user created

passwords must contain at

least one number: 0-9.

PWREQALPHA 0 (no)

1 (yes)



least one alphabetic

character: a-z or A-Z.

PWREQMIXEDCASE 0 (no)

1 (yes)


passwords must contain both

lower and upper case

characters.

PWREQPUNC 0 (no)

1 (yes)



least one punctuation mark:

.,?!;:'".

PWREQSPEC 0 (no)

1 (yes)



least one special character:

@#$%^&*()+=-_/><\|[]{}`~

PWAVOID One or more characters. Specify a list of characters

that may not appear in

passwords.

PWMINLEN The minimum length of user

created passwords.

None.


27

PWCACHE 0 (no)

1 (per session)

2 (permanently,

Windows Only)

If set to 1, the user will be

prompted for the CSPid

password the first time it is

required in the login

session. The password will be

stored (encrypted) in the

CSPid.ini file until the CSPid

Manager (system tray

application) exits. If set to

2, the user will be prompted

for the CSPid password once

and it will be cached in the

Windows Registry permanently.

PWCACHE_CLEAR_ON_BAD_PIN 0 (no)

>1 (yes, after this

many failed attempts)

This value represents the

threshold of incorrect

password entry attempts after

which the cached password

will be cleared. This value

applies only if PWCACHE is

enabled and this value is set

to 1 (the default) or

greater. If this value is set

to 0 the cached password will

not be cleared and the user

can reattempt the login using

a blank password which will

cause CSPid to use the cached

password.

PWPROMPT_AT_STARTUP 0 (no)

1 (yes)

If set to 1, the system tray

application will prompt the

user for the CSPid password

when it starts.

PWWINPROMPT (Windows

Only, Optional)

The string to use to locate

the Windows Smart Card PIN

prompt dialog.

For Windows XP: "Smart card

PIN"

For Windows Vista/7: "Windows

Security"

Used in conjunction with

PWCACHE to inject the CSPid

PIN into the Windows password

dialog. The software

determines a suitable default

at runtime, so this is only

needed if Microsoft updates

the PIN prompt dialog.

PWCHANGE The number of days between

required user password

changes.

None.

PWHISTORY The number of unique

passwords required before

the user can re-use a

password.

None.


28

PWTIMEOUT -1 (never)

nonzero (seconds)

If set to -1, password

timeout is disabled. If set

to a positive value the

library will require the user

to enter their password if

the library has been inactive

for the number of seconds

indicated. The minimum value

is 2 seconds.

RSTPWAGENTS A properly formatted base64-

encoded PKCS #7 PDU

containing one or more

password reset agent

certificates.

The command line option

“p7tob64” will output a

properly formatted string

given PKCS #7 input file.

A properly formatted base64-

encoded PKCS#7 PDU, in this

case means one whose lines do

not exceed 100 characters.

When specifying this file as

RSTPWAGENTS you must precede

each line with an equal sign.

This option is only used if

the configuration file is

considered secure – see

sections 3.5.1 and 3.5.2.

RSTPWMINLEN The minimum length of the

reset password.

This value is the number of

random bytes to use for the

reset password. The value the

user must type in will be 1/3

longer than this value. Any

values less than 8 will be

ignored.

RSTPW_MECHANISM 0 (e-mail)

1 (RSTPW_CMD)

2 (save as)

Specifies what to do when the

user chooses to reset their

password.

If set to 0, the user’s e-

mail client will be used to

send an e-mail to the

password reset agents with

the reset password file as an

attachment.

If set to 1, the commands in

the RSTPW_CMD parameters will

be executed.

If set to 2, the user is

asked to save the reset

password file to a folder of

their choice.

RSTPW_MESSAGE A text string When specified this string

will be displayed in a

message box prior to

performing the password reset

mechanism


29

RSTPW_CMD One or more commands to

execute when the reset

password event occurs.

To specify multiple commands,

include multiple RSTPW_CMD=

lines in the configuration

file. If %1 appears in the

command it will be replaced

with the path and filename of

the password reset file prior

to execution.

RSTPW_PROMPT_RESET 0 (no)

1 (yes)

If set to 1, the user will be

prompted with a dialog to

change their password at the

end of the reset password

process. They will need to

provide the reset password

and a new password.

PW2ENABLED 0 (no)

1 (yes)

If set to 1 the PW2MASK item

will be used to determine

whether or not a password

meets the requirements and

PWREQNUM, PWREQALPHA,

PWREQMIXEDCASE, PWREQPUNC,

and PWREQSPEC will be

ignored.


30

PW2MASK A | delimited string of

character classes

representing allowable

passwords.

The string is made up of

ULNPS sequences separated by

the | symbol. Each letter

represents a character class

that must (not) be in the

password. The | symbol

represents is used to create

multiple acceptable

sequences.

U - upper case

character required

L - lower case

character required

N - numeric character

required

P – punctuation

required

S - special character

required

u – upper case

character forbidden

l – lower case

character forbidden

n – numeric character

forbidden

p – punctuation

forbidden

s – special character

forbidden

For example:

ULN|ULP|UPS|Npuls would

accept any of the following

passwords

- mixed case with a

number (Ab3)

- mixed case with

punctuation (Ab!)

- upper case with

punctuation and a

special character

(A!@)

- only numbers

PW2REQCLASSCHG 0 (disabled)

nonzero (characters)

Specifies the maximum number

of consecutive characters

from a single character class

that is allowed. For example,

if set to 4 a password

containing ABCD would be

acceptable, but one

containing ABCDE would be

rejected.

Table 5: Password Options


31

Option Values Notes

NSSEARCHPATH One or more semi-colon delimited

paths that should be searched

for Netscape-based profiles in

addition to CSPid’s default

paths.

A common addition for Netscape 4.x

users is:

%ProgramFiles%\Netscape

NSCREATETRUST 0 (no)

1 (yes)

If set to 1, ephemeral

CKO_NETSCAPE_TRUST objects are

created and made accessible to

applications using CSPid’s PKCS #11

interface. These objects tell the

calling application to trust the

certificates in CSPid.

Table 6: Netscape/Mozilla Options

Option Values Notes

CAIMPORT 0 (never)

1 (prompt user for

trust)

2 (always)

If set to 0, CSPid will not

store certificates for which

it does not store a matching

private key.

If set to 1, CSPid will store

certificates without private

keys, but it will prompt the

user for permission to import

(and thus trust) root

certificates.

If set to 2, as if set to 1,

but on UNIX the user will not

be asked to trust root

certificates.

P12EXPORT 0 (no)

1 (yes)

If set to 1, users will be

allowed to export their

credentials as PKCS #12 files.

P12EXPORTREQUIRESNEWPIN 0 (no)

1 (yes)

If set to 1, users must supply

a password other than their

CSPid password as when prompted

to create a password to

protect exported private keys.

P12IMPORTCA 0 (no)

1 (yes)

If set to 1, CSPid will attempt

to import any issuer

certificates it finds when

importing PKCS #12 files

adhering to the CAIMPORT

setting. When set to 1, CSPid

will attempt to include issuer

certificates when exporting

PKCS #12 files.

P12IMPORTREGAPPS 0 (disabled)

max hours since

Causes the CSPid

UI to trigger

the register with applications

event when a user imports a


32

issuance PKCS #12 file via the CSPid UI

command line (cspid_ui.exe) if

the certificate was issued

within the number of hours

specified.

P12CLIIMPDELONMATCH Keyword When present the CSPid UI will

examine the path and filename

of PKCS#12 files imported via

its command line and, if the

keyword is present, delete the

file after import. This is

typically used to delete

PKCS#12 files “opened” from

within the user’s web browser

by setting the value to Temp

(Firefox) or Temporary

(Internet Explorer).

IGNORE_ISSUERS_IN_GP 0 (no)

1 (yes)

If set to 1 issuer

certificates will be installed

in the user’s certificate

stores even if they are

present in an installed group

policy. If set to 0 issuer

certificates are already in

group policy will not be

installed in the user’s

certificate store.

Table 7: Import/Export Options


33

Option Values Notes

STARTUPCMD One or more commands to

execute when the CSPid Manager

application starts.

None.

ENROLLURL The URL to open when the

enrollment event occurs.

This option is ignored if

ENROLLCMD or ENROLLCAPI is set.

ENROLLURL_MESSAGE Text to display to the user in

a message box in place of the

default text notifying the

user that a browser will open

to start enrollment.

Leave blank to use the default

text.

ENROLLCMD One or more commands to

execute when the enrollment

event occurs.


include multiple ENROLLCMD=

lines in the configuration file.


ENROLLCAPI is specified.

ENROLLCAPI 0 (disabled)

1 (enabled)

If set to 1, the CSPid Manager

will move credentials from the

CAPI “personal” store to CSPid.3

ENROLLCAPI_MESSAGE Text to display to the user in



user that they may be prompted

for their password when moving

their credentials from CAPI.


text.

NEWSIGCERTCMD One or more commands to

execute when new signing

certificate event occurs.


include multiple NEWSIGCERTCMD=


NEWENCCERTCMD One or more commands to

execute when a new encryption

certificate event occurs.


include multiple NEWENCCERTCMD=


DASNEWSIGCERTCMD One or more commands to

execute when new DAS-enabled

signing certificate event

occurs.


include multiple

DASNEWSIGCERTCMD= lines in the

configuration file.

DASNEWENCCERTCMD One or more commands to

execute when a new DAS-enabled

encryption certificate event

occurs.


include multiple

DASNEWENCCERTCMD= lines in the

configuration file.

RENEWURL A URL to open with the default

web browser when the renewal


RENEWCMD is specified. If set,

3 Credentials that cannot be exported (they are stored in a smart card or are marked non-exportable) will not be moved. Credentials are moved by

exporting the private key, importing it into CSPid and then deleting it from the current Microsoft CAPI provider. The current Microsoft EFS

credential, however, will be copied to CSPid. EFS in Windows 2000 and XP only works with credentials stored in Microsoft CSPs. On Windows

Vista, EFS can work with smart card credentials, but it independently caches the CSP of the private key. For these reasons, CSPid does not modify

the EFS certificate in CAPI’s personal store.


34

event occurs. the Renew My Certificates item

appears in the CSPid Manager.

RENEWURL_MESSAGE Text to display to the user in



user that a browser will open

to start enrollment.


text. This text is not displayed

if the user initiates the action

from the CSPid Manager.

RENEWCMD One or more commands to

execute when the renewal event

occurs.


include multiple RENEWCMD= lines

in the configuration file. If

set, the Renew My Certificates

item appears in the CSPid

Manager.

RENEWDAYS The number of days before

certificate expiration that

should be considered when

deciding whether the renewal

event should occur.

None.

REGAPPSCMD One or more additional

commands to execute when the

user invokes Register with

Applications.


include multiple REGAPPSCMD=


ALLCERTSISSUERS

(Windows Only)

Indicates how register with

applications should treat

certificates without matching

private keys.

0 (follow RFC 5280)

1 (treat as issuers)

If set to 0, certificates

without matching private keys

will be treated as issuer

certificates only if they

contain a basic constraints

extension asserting the CA flag.

If set to 1, all certificates

without matching private keys

will be treated as issuer

certificates.

Table 8: Event Handling Options

Option Values Notes

DASENABLE 0 (no)

Serial Number (yes)

If set to a CSPid DAS Enablement

serial number, DAS will be

enabled.

DASSERVER One or more DAS rewrap server

URIs. If provided CSP

id will use this

list of DAS servers rather than

expect the full DAS URL to

reside in the CoI certificates.

DASSIGSERVER One or more DAS signing

server URIs. If provided CSP

id will use this

list of DAS servers rather than

expect the full DAS URL to

reside in the CoI certificates.

DASTIMEOUT The number of seconds to wait

for a DAS server to connect. If provided CSP

id will use this

value instead of the default

value.

DASNUMREDIR -1 (no limit) This value controls the number


35

0 (no redirection)

>0 (number)

of times that CSPid will append

additional DAS URLs returned by

DAS URL Redirection function.

For example, setting this value

to 1 means that after 1 DAS

server has responded with CoI

Not Found and a list of

alternate DAS URLs that all

future CoI Not Found messages

will not add more URLs.

DAS_SIGN_ISSUER_ID Either an issuer DN or an AKI

value to use when selecting a

signing certificate.

If provided CSPid

will use this

information when choosing

between multiple signing

certificates.

DAS_ENC_ISSUER_ID Either an issuer DN or an AKI

value to use when selecting

an encryption certificate.

If provided CSPid

will use this


between multiple encryption

certificates.

DAS_ENC_LABEL_ID A “keyword” that indicates

that a particular certificate

is “better” for encryption

than other certificates.

If provided CSPid

will use this



certificates. For CAC it should

be Encryption.

DAS_SIGN_LABEL_ID A “keyword” that indicates

that a particular certificate

is “better” for signing than

other certificates.

If provided CSPid

will use this



certificates. For CAC is should

be Signature.

EXT_P11_LIB,

EXT_P11_LIB64

The PKCS #11 libraries (32-

bit and 64-bit) to use for

cryptographic operations when

connecting to a DAS server or

signing policy updates.

If provided CSPid

will use the

first available smart card when

authenticating with a DAS server

or decrypting a DAS server’s

response.

EXT_P11_LABEL The label of the token to use

for PKCS #11 operations. If provided CSP

id will find and

use the slot containing a token

with this label. If not present

then it will use the first

available smart card. This

option is most useful when using

a hardware security module with

multiple slots for password

reset operations.

EXT_P11_NAME The name to display to the

user when prompting for the

password to the external

smart card.

If provided CSPid

will display

this name rather than the card’s

label returned from the PKCS #11

library.

Table 9: DAS Options

Option Values Notes

CFGUPDATENAME The name of this configuration

file.

This value is displayed in the

about dialog of the CSPid

Manager for informational

purposes.


36

CFGUPDATELOCALSTORE Specifies the file path that

CSPid should use to store

updated configuration files.

This path should be per-user

and must be user-writable. In

addition to updated

configuration files the user’s

DN and the last update time is

stored in this folder.

CFGUPDATEURL A URL specifying the server,

port, and base path in which

updated configuration files

are stored.

Please see the preceding

section for details on the

directory structure expected.

CFGUPDATETIMEOUT The number of seconds to wait

for an update server to

connect.



update process and the role

this value plays.

CFGUPDATEDN A distinguished name (DN)

representing this computer or

installation instance.




this value plays.

CFGUPDATEUSEUSERDN Determines whether the user’s

own DN or only the computer’s

DN will be used for

downloading updates.

0 (use only

CFGUPDATEDN)

1 (try the user’s DN

first, then fallback to

CFGUPDATEDN)




this value plays.

CFGUPDATEPERIOD The number of days that the

CSPid Manager should wait

between attempting updates.

The default is 0 which disables

updates.

CFGUPDATETRUSTMODEL Specifies the method by which

the update server’s

certificate will be validated.

0 (use Windows)

1 (use

CFGUPDATETRUSTANCHOR)

2 (use

CFGUPDATETRUSTDN)

3 (disabled)

Updated configuration files

will only be retrieved from

trusted web servers. Trust is

established in one of 3 ways:

- Windows path validation

routines and trust

anchors

- A single trust anchor

- A single trust anchor DN

The most secure method is a

single trust anchor.

CFGUPDATETRUSTANCHOR Specifies a single, base64-

encoded X.509 trust anchor. If CFGUPDATETRUSTMODEL=1 this

value contains the trust anchor

to which the server certificate

must chain.

CFGUPDATETRUSTDN Specifies the subject DN of

the trust anchor. If CFGUPDATETRUSTDN=1 this

value contains the issuer DN of

the trust anchor.

Table 10: Configuration File Update Options


37

4. Using CSPid

CSPid integrates into browsers, e-mail clients, and other system applications in the same manner as a

smart card. Once you enter your password, the private keys in the CSPid key store are immediately

available for use in decryption and/or signing operations in any Microsoft CAPI- or (registered) Netscape-

based application.

NOTE: During browser-based PKI enrollment operations, you (or your certificate authority’s webpage)

must explicitly specify the CSPid token. For Internet Explorer select Microsoft Base Smart Card Crypto

Provider, and for Netscape-based browsers select ISC CSPid. Alternatively, you can use CSPid’s built-in

PKCS#10 certificate request generation (cspid_cli --gen-p10).

4.1. The CSPid Management Tool

The CSPid management tool is a system tray application (on systems that support the system tray concept)

that allows you to perform common management tasks and to view the objects managed by CSPid. It

normally starts automatically each time you log in. (On UNIX this behavior must be configured by an

administrator.)

Figure 6: The CSPid

System Tray Menu

The Manage CSPid menu item opens the CSPid Manager’s main dialog, illustrated below; the remaining

menu items are simply shortcuts to identically named items in the main dialog’s menu bar.

This section explains how to use the CSPid Manager (or equivalent system tray menu items) to view the

certificates and other objects stored by CSPid, and to import into, export from, and delete objects from,

your active key store. The CSPid Manager supports the import and export of PKCS #12 and PKCS #7

PDUs, as well as that of (raw binary ASN.1 DER-encoded) X.509 certificate files.


38

Figure 7: The CSPid

Manager’s Main Window (Standard View)

4.1.1. Two Views of the Key Store

The CSPid Manager’s main window initially lists all certificates managed by CSPid; this is the default

“view” of the CSPid key store. When in this view, for example, you can determine if a private key is

associated with a particular certificate by selecting that certificate in the left-hand pane and inspecting its

Private Key property in the right-hand pane.

Selecting Advanced from the View menu causes the main window to switch from showing only

certificates to displaying all objects managed by CSPid. Advanced view allows you to manage individual

certificates, public keys, and private keys.

Figure 8: The CSPid

Manager’s Main Window (Advanced View)


39

4.1.2. Importing Credentials

Choosing Import from the CSPid Manager’s File menu opens the following file selection dialog. Change

the type of file to be imported (PKCS #12, PKCS #7, or X.509), if necessary, using the Files of type drop

down list, select one or more files, and click Open. (As usual in such dialogs, several files of the specified

type can be selected by using the control and/or shift keys in conjunction with the left mouse button.)

Figure 9: Importing a File


40

4.1.3. Exporting Credentials

Selecting a certificate, then choosing Export from the CSPid Manager’s File menu opens a standard Save

as dialog. Enter a filename for the file to be created, change its type (PKCS #12, PKCS #7, or X.509), if

necessary, using the Save as type drop down list, then click Save.

Figure 10: Exporting a File

4.1.4. Deleting Credentials

Selecting a certificate (or key in Advanced view), and choosing Delete from the CSPid Manager’s Edit

menu starts the process of removing a certificate and any associated keys from the CSPid key store. You

will be prompted to confirm that you really want to delete the selected key or certificate.

Figure 11: Confirming Certificate Deletion

If the certificate being removed has an associated private key (which, in the standard view, will also be

deleted), you will be prompted for confirmation a second time to ensure that you fully understand the

consequences of your decision.


41

Figure 12: Confirming Private Key Deletion

If you select an object in Advanced view, and choose Delete from the Edit menu, only the selected object

will be removed from the CSPid key store. (This is different from the behavior of Delete in the standard

view where only certificates are displayed and all associated keys are deleted.)

4.1.5. Changing Your Password

To change the password used to protect private items in your CSPid key store, select Change Password

from the Tools menu (or from the system tray menu).

Figure 13: Changing Your CSPid

Password

The OK button in this dialog will become enabled once you have entered at least one character in all

password fields and the new password satisfies any quality requirements that may be in effect pursuant to

an active security policy. (The status line keeps you apprised of any requirements that remain to be

satisfied.)

NOTE: You will be forced to change your password if a security policy specifying one or more Password

Recovery Agents is installed on your system by an administrator.


42

4.1.6. Initiating Password Reset

If you forget your password (and password reset is enabled4), you may request that a PRA assist you in

resetting it. If password reset is enabled on your system, you’ll see a “Forgot Password?” link on CSPid’s

login dialog:

You can also initiate the process using the system tray menu’s Reset Password item. In some

installations an administrator may implement a different reset process. What follows is the standard

password reset process. Please consult your organization’s documentation on password reset if the

following is incorrect.

To begin the password reset process, click item and enter your contact information into the following

form:

Once you click OK, the supplied information will be e-mailed with an attached password reset (.cpr) file

to all designated PRAs using the e-mail addresses in their certificates.

NOTE: The .cpr file contains only a reset password for your system encrypted for each of the PRAs; it

does not contain any of your private keys. One of the PRAs should decrypt this file for you and provide

you with the reset password which can then be used at the CSPid login prompt in place of your forgotten

password.

4 Password reset is enabled by one or more PRA certificates being specified in the active security policy. See Table 5: Password Options for

details.


43

4.1.7. Handling a User’s Password Reset Request (PRA only)

When a PRA receives a password reset request via e-mail from an end-user, they should first ascertain

that the user is who they claim to be -- insist on appropriate identification! The reset password dialog will

contain the user name (and, on Windows, the domain name) of the user that was logged in when the

password was set. This information allows an administrator to know which account owns the reset

password. Administrators use the CSPid Manager to open the .cpr attachment (by “opening” the file or by

selecting Open Password Reset File from the Tools->Administration menu). The (case-sensitive) reset

password displayed to the administrator can then be returned to the end-user.

4.1.8. Completing Password Reset

Once you have received a (case-sensitive) reset password from a PRA, you may enter it at the CSPid

Manager login prompt in place of your forgotten password. You will be forced to change your password

to complete the password reset process. Alternatively, you can click the Change Password menu item in

the system tray menu and enter the reset password as the Old Password.

NOTE: When you change your password, a new reset password is also generated and the old reset

password known to, and supplied by, your PRA will no longer be valid.

4.1.9. Viewing Client Applications

Selecting Show Client Applications from the Tools menu (or from the system tray menu) will display a

dialog listing all applications that have accessed the CSPid library since it was installed. Note that

registering with applications will not necessarily make them show up in this list. They will appear only

after the application uses a key stored in CSPid. Starting with version 2.2.5 this option is off by default and

must be enabled using the configuration file.


44

Figure 14: Viewing Registered Applications

This dialog provides a quick way of determining which applications have potentially accessed your

private keys without you having to open and search through your system’s event log.

If a Netscape- or other PKCS #11-based application does not appear in this list, it may not be able to use

CSPid until you have invoked the Register with Applications command described next.

4.1.10. Registering With Applications

Selecting Register with Applications from the Tools menu (or the system tray menu) causes CSPid to:

search for Netscape-based profiles along the paths specified in CSPid’s configuration file; CSPid

then registers itself as a PKCS #11 library in each discovered profile using the NSS modutil

program

(Windows only) copy and install all certificates in the CSPid key store into the following

Microsoft CAPI stores: My, addressBook, CA, and Root

Register with Applications is intended to help users easily migrate their credentials to a new system or to

use CSPid on multiple systems (with possibly a network-accessible PKCS #15 PDU as their key store).

Once this command is run, your system will be aware of all your certificates and private keys, as well as

all CA certificates stored by CSPid.

4.1.11. Renewing Your Certificates

If available, choosing Renew My Certificates from the Tools menu (or from the system tray menu) will

initiate the credential renewal process for your organization as specified in the active security policy.

When enabled by an administrator, this command will execute custom scripts that should help simplify

the PKI enrollment/ certificate renewal process for you.


45

4.1.12. The About Dialog

Selecting About from the Help menu (or from the system tray menu) opens an informative dialog that,

among other things, refers users to ISC for support and provides the necessary contact information.

Figure 15: Viewing the About Dialog

4.1.13. Terminating the Management Tool

Selecting Exit from the File menu (or from the system tray menu) will terminate the CSPid management

tool. (Closing the tool’s main dialog minimizes it to your system tray, but leaves it running.)

4.1.14. The Management Tool Command Line

The CSPid

management tool has limited command line functionality designed for integration with the

operating system and to provide functionality for command based events (REGAPPSCMD,

ENROLLCMD, RENEWCMD, NEWSIGCERTCMD, etc.).

Switch Command Required Options Notes

-R reset user

pin

-f <file> Opens the administrative

password reset file specified.

-f <file> none none Specifies a filename to open or

import when used with the –R

and –i options.

-i import file -f <file> Imports the specified file

(.p7b, .cer, .der, .p12, .pfx).

If used with --cspid-auth

%CSPID_UI_AUTH%, CSPid will not

prompt the user when importing

root certificates (MS CAPI may

still prompt the user). If –f

is a wild card specification a

recursive search will be

performed to find and install

all matching items. Use --p12-

pass to specify the import

password. Use --showsuccess to

display a message of your

choice on success.

--p12-pass specifies the none Allows the PKCS#12 import


46

<password> PKCS #12

import

password with

the –i

command

password to be provided via

script rather than input by the

user. If the password is

incorrect they user will be

prompted to enter the password.

--showsuccess

<message>

specifies a

message to

display upon

successful

import

none Causes the application to

display a dialog containing the

provided message upon

successful import of a file.

--export-all-

keys <folder>

export all

credentials

as PKCS #12

files

--cspid-auth

%CSPID_UI_AUTH%

If PKCS #12 export is allowed,

this command will prompt the

user to create a password to

protect the exported files and

then save all of the user’s

credentials as PKCS #12 files

in the specified location.

--backup-p15

<folder>

create a copy

of the CSPid

PKCS #15 file

--cspid-auth

%CSPID_UI_AUTH%

This command will create a copy

of the user’s PKCS #15 PDU in

the specified location for

backup purposes.

--cspid-auth

%CSPID_UI_AUTH%

none none This option authorizes the user

interface to execute sensitive

commands. When found in the

configuration file the

management tool will replace

%CSPID_UI_AUTH% with a nonce

that is checked when the

command is executed.

--move-capi-

keys

migrate CAPI

credentials

none This command moves any

credentials stored in CAPI/CNG

into CSPid.

-- showmessage <message>

display

message box

none This command displays a dialog

with the message provided and

an OK button. It can be used to

alert the user of an impending

event or the completion of an

event.

-- showmessage-tray <message>

Display

system tray

message or

message box

none This command causes the system

tray icon to display a popup

message. If the system tray

cannot do this it behaves as if

--showmessage were specified.

--prog-display

<0|1>

display or

hide the

progress

status window

--prog-status

<message>

--prog-display 1 will cause a

window to appear and display

the message provided by the –

prog-status option.

--prog-display 0 will hide the

window.

--start-hidden

(UNIX-only)

on systems

without a

system tray

start in the

none This command starts the GUI

without showing the main window

(it will prompt for the

password, run any events, and


47

background then disappear into the

background). If the user runs

cspid_ui again the background

instance will display the

manager window. If the user

closes the manager window the

application returns to the

background state. If the user

exits the manager window the

application quits. This

simulates the behavior of the

application on systems with a

system tray.

--min none none If the system tray application

is not running start it.

--renew none none Emulate the user selecting

Renew My Certificates

--register none none Emulate the user selecting

Register with Applications

Table 11: Management Tool Command Line Options


48

4.2. The CSPid Command Line Tools

Command line utilities allowing the scripting of certain actions are provided for use by administrators or

others who want to perform certain actions automatically. They are well suited for use by the event

model.

Note: If permanent password caching is enabled (PWCACHE=2) and the password has been cached, the --

chgpin and --export options will accept the user’s Windows login password in the -p options. This allows

the user who has forgotten the CSPid password (because it’s been permanently cached and so rarely used)

to change their password or export their credentials.

4.2.1. cspid_cli

The cspid_cli command line program is the primary administrative utility and provides most of the

available functionality:

CSPid(R) Command Line Interface, Version 3.0.1

(C) 2007-2013 Information Security Corp. All rights reserved.

Usage: cspid_cli {-b | -c | -C | -e | -h | -i | -r | -u} [-f <file>] [-I]

[-p <pwd>] [-P <path>] [-t <pin>] [--pause] [-y]

Functions (specify exactly one):

--admin-pwdr decrypt and display a user's reset password

--cfg-update force an update of the user's configuration file

--check-p10 load contents of -f argument and verify that it is valid

--check-pin check whether the given password is correct or not

--check-new-pin check whether the given password meets the password

requirements or not

-c, --chgpin change the CSPid password

-C, --clear erase all CSPid objects

--clear-orphans erase all public/private keys without certificates

-e, --export export all CSPid objects; if P12EXPORT=1, certificates

with private keys are saved as .p12 files

--gen-p10 dn generate a key pair and output a PKCS#10 certificate

request with the distinguished name <dn>

--gen-jks generate a Java keystore file in the output file

specified by the -f option and password in -t

-h, --help print this usage information, then exit

-i, --import import a PKCS#12, PKCS#7, or ASN.1 DER-encoded file

--initialize erase any existing CSPid key file and create a new one

-b, --p7tob64 base64-encode a PKCS#7 PDU (for RSTPWAGENTS)

--post url HTTP(S) POST contents of -f argument to specified <url>

--query opt query Active Directory for user info spec'd by <opt>

-r, --register install CSPid into Netscape-based applications and

register certificates in CAPI

--resetpin create a password reset request

-u, --uninstall remove CSPid from Netscape-based applications

Options:

--attribute att the attribute name to retrieve from AD with --query 5

--content-type ct specify the content type to use with --post

--debug output some additional information for some operations

--delay-commit commit changes on exit rather than throughout the process

--exportable-no imported private keys can't be exported by the user

--exp-no-issuers with (-e, --gen-jks), do not include issuer certificates

when creating JKS or PKCS#12 files


49

--exp-no-privates with (-e, --gen-jks), do not include private keys

when creating JKS or PKCS#12 files

--exp-only-label lab with (-e, --gen-jks), only export items whose CKA_LABEL

value contains lab

-f file

--filename file read (-i, -b) the specified file or save the output

(--gen-p10, --gen-jks, --cfg-sign, --cfg-add-sig) in

the specified file

--gen-key-type type generate a key of type <type> when creating a PKCS#10

PDU (--gen-p10). <type> may be RSA1024, RSA2048,

ECCp256, ECCp384, ECCp521

--graphical-prompts use windowing system to prompt for items, not text

--impersonate app with -e or --gen-jks, use the supplied app name to

filter output

-I

--installonly skip CAPI certificate registration (with -r)

--label lab append lab to the default CKA_LABEL value (with -i)

-t use pin as the new CSPid pin or

--p12pin pin use pin as the PKCS#12/JKS file password

--exp-pin pin use pin as the PKCS#12/JKS file password

--exp-pin-cspid use the CSPid PIN as the PKCS#12/JKS file password

-p pin use pin as the CSPid password

-P path

--path path with -e, export files to path

with -i, import all PKCS#12 (.p12/.pfx) files in path

with -r, append path to NSSEARCHPATH

--pause prompt for a key press before exiting

--post-output file with --post, saves the result in the specified file

--replace with -i, updates attributes of existing entries

as opposed to skipping the item

--scope-whitelist imported credentials visible only to these applications

--scope-blacklist imported credentials not visible to these applications

using whitelist and blacklist matching

-y

--yestoall suppress prompts for object deletion and file overwrite

See accompanying documentation for additional information.

Figure 16: The cspid_cli Interface

In general, commands cannot be combined on the same command line and certain options apply only to

particular commands (see table below). The register and uninstall options access the cspid.cfg file to

determine which paths should be searched or use the default values if no paths are specified in the

configuration file. If the path option is supplied to register or uninstall as a semi-colon delimited list of

directories, those directories are searched in addition to paths specified in the configuration file.


50

Command Required Options

Optional Switches Additional Information

admin-pwdr --filename --pause, --graphical-prompts Attempts to decrypt

and display the reset

password for the

password reset file

specified by –-

filename.

cfg-update none --pause, --graphical-prompts Forces the software to

attempt to download a

new digitally signed

configuration file

from the update

server.

check-p10 --filename --pause, --graphical-prompts Parses the PKCS#10

input file, validates

the signature, and

reports whether or not

it is OK.

check-pin none -p, --pause, --graphical-

prompts

Checks to see if the

provided password can

decrypt the user’s

PKCS #15 PDU.

check-new-

pin

-p --pause, --graphical-prompts Checks to see if the

provided password

meets the password

quality requirements.

chgpin none --pause, --graphical-prompts Changes the user’s

CSPid password

interactively from the

command line.

clear none -p, --pause, --yestoall, --

graphical-prompts

Erases all objects

(certificates, public

keys, and private

keys) from the user’s

CSPid store.

clear-

orphans

None -p, --pause, --graphical-

prompts

Erases all public and

private keys for which

no certificate exists.

export --path --p12pin, -p, --pause, --

yestoall, --exp-no-issuers,

--exp-no-privates, --exp-

only-label, --graphical-

prompts, --exp-pin-cspid, --

exp-pin, --impersonate

Exports all objects

from the user’s CSPid

store.

--exp-only-label only

exports items whose

CKA_LABEL contain the

specified value.

If –-exp-pin-cspid or

--exp-no-privates is

specified and password


51

caching is enabled,

the user will not be

prompted for the CSPid

password.

gen-p10

<dn>

--gen-key-type -p, --pause, --yestoall, --

exportable-no, --graphical-

prompts, --filename

Generates a key pair

and certificate

request. <dn> is of

the form “CN=Joe User,

OU=Marketing, O=ISC,

C=US”

gen-jks --filename -p, --pause, --yestoall, --

exp-no-issuers, --exp-no-

privates, --exp-only-label,

--graphical-prompts, --exp-

pin-cspid, --exp-pin, --

impersonate

Generates a Java

keystore file

containing the same

data as would have

been exported using --

export. See export for

details.

help none none Displays the

information shown in

the figure above.

import --filename or

--path

--p12pin, -p, --pause, --

label, --delay-commit, --

scope-whitelist, --scope-

blacklist, --replace, --

graphical-prompts

With –-filename,

imports a single

certificate, PKCS#7 or

PKCS#12 file.

Wildcards are

supported for

importing multiple

files.

With –-path, imports

all PKCS#12 files

found in any of the

paths specified (on

Windows multiple paths

can be specified by

separating them with

semi-colons).

The value of the --

label option is

appended to the

CKA_LABEL values

generated by CSPid.

The –-exp-only-label

option can filter

output based on this

value.

With --replace,

existing entries are

updated with new

values (specifically,

new labels and black-

/whitelist values).

initialize none -p, --pause, --graphical-

prompts

Erases the user’s

existing PKCS #15 PDU

and creates a new one

with the provided

password.


52

p7tob64 --filename --pause, --graphical-prompts Converts the PKCS#7

file specified by –-

filename into the

format required by the

configuration file for

password reset agents.

post <url> --filename --content-type, --pause, --

graphical-prompts, --post-

output

Uploads the contents

specified in –-

filename to the URL

provided (using either

HTTP or HTTPS). The -–

content-type option is

used to specify the

content-type HTTP

header value when

necessary. The default

value is

application/x-www-

form-urlencoded which

is used for posting

simple forms. When

posting multi-part

forms the content-type

must be specified

along with the

boundary value.

query

<opt>

none --pause, --attribute, --

graphical-prompts

1. (Windows only) query Active

Directory for the

user’s first name,

last name, middle

initial, and user

name. Output a

lowercase string of

the following

format CN=lastname

firstname

middleinitial

username

2. (Windows only) query Windows for

the user’s full

name (lastname,

firstname

middleinitial

username)

3. (Windows only) identical to 1, but

also retrieves and

outputs the user’s

e-mail address.

CN=lastname

firstname

middleinitial

username,

[email protected]

rg

4. (Windows only)


53

lists all

attributes of the

current user

(useful for

determining the

attribute name for

option 5)

5. (Windows Only) query Active

directory for the

attribute specified

by the --attribute

option.

register none --installonly, -p, --path, -

-pause, --debug, --

graphical-prompts

With –-installonly,

registers the CSPid

library with Netscape-

based applications.

The CSPid password is

not required.

Without –-installonly,

it registers with

Netscape-based

applications,

Microsoft CAPI/CNG and

runs the Register with

Applications Event.

This option requires

the CSPid password.

resetpin --filename --pause, --graphical-prompts Creates a password

reset file to initiate

password reset.

uninstall none --path, --pause, --

graphical-prompts

(UNIX Only) Removes

the CSPid library

integration from

Netscape-based

applications.

Table 12: cspid_cli Options

4.2.2. cspid_ln (Windows Only)

The cspid_ln utility interfaces with Lotus Notes using the Lotus Notes API and so requires that

nNotes.dll be in the path when run.

CSPid(R) Lotus Notes Tool, Version 3.0.1

(C) 2011-2013 Information Security Corp. All rights reserved.

Usage: cspid_ln.exe <command> <options>

Commands: (specify only one)

--sc-verify test to see if Notes is working properly with CSPid

--sc-install add CSPid information to the notes.ini file

--sc-enable smartcard enable the user's ID

--sc-import transfer CSPid certificates into the user's ID


54

Note: the private key remains in CSPid

--check-pass check if the Notes ID password supplied in --pass-notes

is correct for this ID

--import-p12 <file> import a PKCS#12 file into the specified Notes ID

--help display this usage information

Options: (specify zero or more options)

--verbose display extra information about the process

--notes-id <user.id> use the specified file as the user ID

--pass-notes specify the password for the user's ID

--pass-cspid specify the user's CSPid password

--pass-p12 specify the password for the PKCS#12 being imported

=<notes.ini> use the specified notes.ini file

Example: cspid_ln.exe --verbose --sc-enable --pass-notes password

See accompanying documentation for additional information.

Figure 17: The cspid_ln Interface

Command Required Options

Optional Switches Additional Information

sc-verify none =<notes.ini>, --notes-id, --

pass-notes, --pass-cspid, --

verbose

Returns 0 if Lotus

Notes is configured to

use CSPid, non-zero

otherwise along with

an error message.

sc-install none =<notes.ini>, --notes-id, --


verbose

Adds the CSPid PKCS

#11 library entry to

the user’s notes.ini

file.

sc-enable none =<notes.ini>, --notes-id, --


verbose

Smartcard enables the

user’s notes.id file

(the same as clicking

Enable Smartcard Login

within Lotus Notes).

sc-import none =<notes.ini>, --notes-id, --


verbose

Imports the

certificates in CSPid

into Lotus Notes (the

same as selecting

Import Certificates

from Smartcard within

Lotus Notes).

check-pass --pass-notes =<notes.ini>, --notes-id, --

verbose

Returns 0 if the

password supplied in -

-pass-notes is

correct. Non-zero

otherwise.

import-p12 --pass-notes,

--pass-p12

=<notes.ini>, --notes-id, --

verbose

Returns 0 on success,

non-zero on failure.

Error 6408 indicates

an incorrect Lotus

Notes ID password.

5631 indicates either

an incorrect PKCS#12


55

file password or that

something is wrong

with the PKCS#12 file.

help none none Displays usage

information

Table 13: cspid_ln Options

4.3. The CSPid Audit Trail

CSPid includes a configurable audit trail facility that supports logging events to a specified text file as well

as to the system event log.

All user actions that modify the key store, export private data, or are related to authentication are written

to the system event log regardless of CSPid audit trail settings. This includes object creation, object

modification, use of the credential export functions in the management tools, password entry, password

failure, and password change.

If debug level logging is enabled and a log file is specified, CSPid will append information to assist in

troubleshooting to the log file location. Logging is configured via the CSPid configuration file; see section

3.5 for more information.

4.3.1. Windows

CSPid

creates entries in its own CSPid section of the Windows Event Log. To view the log, use the Event

Viewer accessory provided by Microsoft.

4.3.2. UNIX

On UNIX, CSPid uses syslog to create entries with an identifier of CSPid in the system event log. You

may need to configure syslog to properly capture and store these messages.


56

5. CSPid Password and Key Management

5.1. Password Management

Password change is accomplished using the standard PKCS #11 C_SetPin() call. Users can use the

supplied programs, Netscape-based applications, or other PKCS #11 compliant tools to change their

passwords. It should be noted, however, that once the user changes their password all applications that

currently have the library open will begin receiving CKR_DEVICE_REMOVED errors until restarted.

5.1.1. Password History

The configuration file supports the prevention of password re-use. The administrator can specify the

number of unique passwords a user must use before they can re-use a past password. The password

history is stored by CSPid in the PKCS #15 PDU as a string. The first 8 bytes of the string are the random

salt chosen the first time the password was set. The remaining values are the 20-byte SHA-1 hash values

for each password that the user has used. The string is truncated at each password change to contain only

the last X password hash values where X is the number specified in the configuration file. An iteration

count of 512 is used along with the salt to help ensure that it is not possible to do easy table lookups of

SHA-1 hash to password by attackers.

5.1.2. Forced Password Change

If the configuration file has specified password change requirements based on time (i.e. that users must

change their passwords every X days) the library will enforce this requirement by returning a vendor

defined error code when the C_Initialize() function is called (0x82050112 is returned in this case). In

fact, the C_Initialize() function has succeeded but well behaved applications will detect the error code

and fail. A message box is displayed by the library alerting the user. If the management tool detects this

error it displays the password change dialog to allow the user to easily change their password. For the 10

days preceding a required password change users are asked if they would like to change it when the

management tool starts. The date and time of the last password change is stored in the PKCS #15 PDU.

5.1.3. Administrative Password Reset

When the administrative password reset feature is enabled and the user sets, resets, or changes their

password, CSPid will:

1. generate (in a FIPS 140 compliant manner) a pseudorandom string of at least 8 bytes (see Table

5: Password Options)

2. base64-encode the random string generated in 1 to create a new reset password

3. encrypt as a CMS PDU the reset password under the user password, the reset password itself, and

each PRA certificate, and store the result in the user’s active key store (a PKCS #15 PDU)

4. use the reset password as a “PBE-recipient” key during re-encryption of all private objects

5. use the reset password as a PBE-recipient key when generating an HMAC-based CMS

authentication wrapper for the PKCS #15 PDU

Because of 4, the reset password and user password are on an equal footing with respect to their ability to

unwrap private objects, but unlike the user password, the reset password can be recovered (i.e., decrypted)


57

using an administrator private key. (Note that administrators cannot recover the actual user password

which protects the user in case they have used that password for other purposes.)

So that the reset password is recoverable by any PRA as well as available at runtime to encrypt new or

changed private objects, it is stored in the PKCS #15 PDU encrypted under itself, the user password, and

all PRA certificates. When the user logs in with either their own password or the reset password provided

by a PRA, the system can, in either case, easily recover the reset password and determine which of the

two passwords was entered. If the user entered the reset password, they are forced to change their

password (thereby generating a new reset password unknown to any PRA).

5.1.4. Password Timeout

When the password timeout feature is enabled CSPid will require the user to reenter their password after

the specified period of inactivity has passed. The method used to cause the calling application to prompt

for the password varies depending on how the calling application accesses the library:

Via Microsoft Windows CAPI/CNG the library’s CardAuthenticatePin function will return

SCARD_W_WRONG_CHV when the KEK is encrypted. This causes the Microsoft Base

Smartcard Provider to prompt the user for their password.

Via PKCS #11, the information returned from the library’s C_GetSessionInfo function will

indicate a state of CKS_RW_PUBLIC_SESSION which tells applications that the card is in the

logged out state when timeout has occurred. The calling application can then call C_Login to

authenticate to the library. If the calling application fails to call C_Login the library will prompt

the user for their password if a sensitive value is required.

If an application attempts an operation that requires the KEK but fails to test and re-authenticate

to the library the library itself will display a password prompt. This is the method that the CSPid

Management Tool uses.

NOTE: When used with a web browser, the server’s SSL/TLS server side timeout value may be greater

than the CSPid timeout value in which case no prompting will occur because the server does not require

the user to authenticate again. Sensitive web sites should have a timeout value that is less than or equal to

the timeout value set in CSPid.

5.1.5. Password Caching

On Windows, CSPid supports per-session and permanent password caching. UNIX-based systems support

only per-session password caching. Both work using the same mechanism. On Windows, the cached

password is encrypted using CryptProtectData and stored in the cspid.ini file and in the CSPid P15

PDU. On UNIX-based systems, an AES key is derived from the user’s login ID and used to encrypt the

password. If per-session caching is enabled, this value is deleted when the CSPid system tray application

exits and is only created if the CSPid system tray application is active. If permanent caching is enabled,

this entry is never deleted. In essence, this method ensures that only applications run within the user’s

own credential space can obtain the password. The MSDN documentation on CryptProtectData provides

excellent details and should be consulted if more information is required.

When password caching is enabled, some password prompts will still appear on Windows XP. Notably,

the password prompt generated by CAPI-based applications will still display. CSPid will automatically


58

enter a token string (not the user’s password) into that dialog and click OK for the user when the dialog

appears and is the foreground window.

If permanent password caching is enabled and the user wants or is required to change their CSPid

password they may enter their current Windows password in place of the current CSPid password in the

password change dialog. Similarly, users may enter their current Windows password in place of the

current CSPid password when exporting private keys. In both cases the Windows login password is

confirmed and if correct the cached password is retrieved and used.

5.2. Key Management

CSPid stores certificates, public keys, private keys, and PKCS #11 data objects (CKO_DATA). Following

PKCS #11 specifications, objects that are marked CKA_PRIVATE, TRUE have strong restrictions on which

of their attributes are exposed and which can be changed. Similarly, objects marked CKA_EXTRACTABLE,

FALSE cannot be extracted from the token. Finally, certain object attributes can be changed in only one

direction. For example, the attribute CKA_SENSITIVE can be changed from FALSE to TRUE, but not from

TRUE to FALSE.

NOTE: The correct handling of such restrictions by CSPid might result in unexpected behavior. For

example, since most applications generate keys with CKA_EXTRACTABLE set to FALSE, users may not be

able to export such private keys from the device using a PKCS #11-enabled application.

However, for backup and recovery purposes, users can extract their private keys from the CSPid system

using the integrated management tools; both a graphical user interface and a command line program are

supplied. (These tools do not use standard PKCS #11 API calls but operate directly on the active key store

as a PKCS #15 PDU.)

Private objects are stored in the active key store as encrypted objects. When in memory, all data is stored

in ISC CDK strings or Key objects, both of which meet the FIPS 140-1/2 level 1 requirements for in-

memory storage of keying material. When C_Login is called successfully the encrypted objects in the

PKCS #15 PDU are decrypted into encrypted memory. Memory related to specific objects is decrypted

temporarily when required to perform operations.

5.2.1. Encrypted Memory

When a user logs into CSPid all sensitive objects in the PKCS #15 PDU are decrypted and then stored in

an object in memory. Prior to version 2.1 this information was stored in memory in plaintext. Beginning

with version 2.1, the in memory storage object encrypts sensitive items.

For RSA private keys the following PKCS #11 values are encrypted while in memory: CKA_PRIVATE_EXPONENT

CKA_PRIME_1

CKA_PRIME_2

CKA_EXPONENT_1

CKA_EXPONENT_2

CKA_COEFFICIENT

For ECC private key objects the following values are encrypted while in memory:


59

CKA_VALUE

For secret key objects (resulting from ECDH computations for example) the following values are

encrypted while in memory: CKA_VALUE

For data objects that are marked private (resulting from Lotus Notes storing the user’s password) the

following values are encrypted while in memory: CKA_APPLICATION

CKA_OBJECT_ID

CKA_VALUE

Other sensitive information that is encrypted while in memory: All copies of the PKCS #15 PDU password

All copies of the (optional) password reset password

Temporary values computed when calling C_Decrypt with a NULL buffer in order to

obtain the size of the result.

The encryption scheme varies by platform as discussed below, but always uses a 32-byte key encryption

key (KEK) generated at random and stored in memory that cannot be written to the Windows page file,

UNIX swap partitions or accessed by other processes. The KEK is generated using the getrand3() method

in ISC’s FIPS-validated CDK 7 after which getrand3() is called again to transition the PRNG’s state to

ensure that the KEK does not remain in the PRNG’s memory space.

5.2.1.1. Encrypted Memory on Windows 2000 and Windows XP

On Windows 2000 and Windows XP, CSPid uses CryptProtectData and CryptUnprotectData functions to

encrypt sensitive information in memory. The KEK is stored in memory allocated with VirtualAlloc,

marked with VirtualLock (to prevent paging), and protected with VirtualProtect (to prevent access by

other programs). The KEK is passed into the CryptProtectData and CryptUnprotectData data functions

via the optional entropy parameter in order to protect against other processes obtaining the encrypted

memory and using CryptUnprotectData.

Using this scheme the PKCS #15 PDU passwords and sensitive keying material are protected against the

following:

1. Other programs running on the system cannot access the process’ memory and decrypt the in

memory information because the KEK is protected and is inaccessible to other applications.

2. Someone in possession of the Windows hibernation file cannot decrypt the in memory

information because when Windows hibernates or sleeps it clears information required by the

CryptUnprotectData function to decrypt.

NOTE: When Windows is run inside a virtual machine and that virtual machine is “suspended” the KEK

will be accessible (as will sensitive operating system protected information) in a file on the host machine

that contains the system’s memory. In such instances, ISC recommends using the password timeout

option with a short timeout period in order to clear the KEK from memory as soon as possible.


60

5.2.1.2. Encrypted Memory on Windows Vista and Windows 7

On Windows Vista/7 CSPid uses the CryptProtectMemory and CryptUnprotectMemory functions to

encrypt sensitive information in memory. These functions require the data to be a multiple of

CRYPTPROTECTMEMORY_BLOCK_SIZE (currently 16) and PKCS#5 padding is used to expand

plaintext as necessary. CryptProtectMemory is called with the

CRYPTPROTECTMEMORY_SAME_PROCESS flag to prevent other processes from decrypting the

memory. The KEK is stored in protected memory as described for Windows 2000/XP. The KEK is used

to super encrypt the output of CryptProtectMemory using the AES Key Wrap algorithm specified in RFC

3394 in order to link the user’s password with the encrypted memory to properly suppose password

timeout. In this way, it is more difficult to recover the encrypted memory when the password has timed

out.

Using this scheme the user’s PKCS #15 PDU password and sensitive keying material is protected against

the following:

1. Other programs running on the system cannot access the process’ memory and decrypt the in

memory information because the CRYPTPROTECTMEMORY_SAME_PROCESS flag

restricts access to the original process.

2. Someone in possession of the Windows hibernation file cannot decrypt the in memory

information because when Windows hibernates or sleeps it clears information required by the

CryptUnprotectMemory function to decrypt.

NOTE: When Windows is run inside a virtual machine and that virtual machine is “suspended” the KEK

will be accessible (as will sensitive operating system protected information) in a file on the host machine

that contains the system’s memory. In such instances, ISC recommends using the password timeout

option with a short timeout period in order to clear from memory the KEK which is required to remove

the super encryption prior to calling CryptUnprotectMemory.

5.2.1.3. Encrypted Memory on UNIX-based Systems

On Linux, OSX, and Solaris CSPid uses the AES Key Wrap algorithm specified in RFC 3394 to encrypt

sensitive information in memory which is padded according to PKCS#5. As on Windows, the KEK is

generated and stored in protected memory (mlock is used to prevent it from being swapped; mprotect is

used to prevent access by other processes).

Using this scheme the user’s PKCS #15 PDU password and sensitive keying material is protected against

an attacker accessing the process’ memory and decrypting the in memory information. However, not all

platforms behave in a consistent manner with regards to the mlock and mprotect functions. Notably,

Solaris 8 requires root access to use the mlock function. Thus, it is possible that the KEK could be written

to the swap partition. In general, on UNIX-based systems ISC recommends using the password timeout

option with a value appropriate to the sensitivity of the keys.

5.2.2. Password Timeout Implementation Details

When the C_Login function is first called the library spawns a thread that waits for the specified time of

inactivity to pass and then encrypts the KEK value with the PKCS #15’s password. The encryption

algorithm used is the same algorithm used when encrypting private information for storage in the PKCS

#15 (see section 12.3). When the user reenters their password, the KEK is decrypted and placed back into


61

protected memory. Thus, when password timeout is enabled all sensitive information is encrypted and the

PKCS #15 PDU password is required to decrypt.

5.2.3. Key Management in the CSPid

Management Tool

Prior to version 2.1 the CSPid Management Tool would keep all keys in memory in plaintext form when

running. Beginning with version 2.1, in addition to storing the keys in encrypted memory, the CSPid

management tool will encrypt the KEK, using the same method as described in 5.2.2, when minimized. If

the KEK is required for an operation the tool will prompt the user for the password.


62

6. CSPid Libraries

6.1. The PKCS #11 Library

CSPid includes a PKCS #11 library module named CSPid.dll (Windows) or libcspid.so (UNIX) for

use by security-enabled applications that can access PKCS #11 compliant tokens.

On Windows, this library is installed in the CSPid program folder, by default C:\Program Files\CSPid,

and is automatically registered in any Netscape-based profiles the next time the user logs in.

On UNIX, the default installation directory is /opt/cspid.

Manual configuration is normally required for non-Netscape-based applications and most Java

applications. See Chapter 3 for more detailed information.

At this time the PKCS #11 library implements only RSA private key operations and publishes its

capabilities via the C_GetMechanismInfo() function.

See “CSPid API Developer’s Guide, Version 1.1.0” for complete details.

6.2. The Microsoft Windows Library

CSPid can integrate with any application that uses the native cryptographic framework on a supported

Windows platform (e.g., Internet Explorer, Outlook, Outlook Express) through their CryptoAPI (CAPI)

or “Cryptography API: Next Generation” (CNG) interfaces. This is accomplished by installing a virtual

smart card reader, the Microsoft Base Smart Card Provider Cryptographic Service Provider, and a Smart

Card Minidriver adhering to Microsoft specifications, and then registering CSPid as the system’s default

CSP.

When configuring Windows applications to use CSPid for PKI enrollment purposes, users and

administrators must select the Microsoft Base Smart Card Crypto Provider to ensure that all keys are

generated and stored by CSPid.


63

7. Quality Assurance Issues

7.1. Testing Methodology

On Windows, CSPid was tested against the following system and applications software, to ensure that it

correctly performed the indicated tasks with all applications:

Software Tasks Executed

Windows XP SP 2

Internet Explorer 6

Microsoft Outlook 2003

Firefox 2.0

Thunderbird 1.5

JRE 1.5.0_09

Netscape 4.79 w/PSM 1.4

Certificate enrollment

Client-authenticated SSL/TLS

S/MIME sign/decrypt

Memory scanning for sensitive

material

Table 14: Test Configurations

See the CSPid Test Plan document for detailed information on the range of tests that were performed.


64

7.2. Known Issues

7.2.1. Windows

Uninstalling CSPid may leave links in CAPI between certificates and the removed CSPid.dll. If

the user attempts to use a private key associated with one of these certificates, they will either be

shown an error message or be prompted to insert a smart card containing the associated private

key. Reinstalling CSPid and “clearing” it using the command line management utility will resolve

this issue. Alternatively, the user can just delete the affected certificates from the CAPI store

using Internet Explorer.

If the user is roaming from machine to machine deleting certificates will leave entries in the

Microsoft CAPI store on a previously used machine. When the user goes back to that machine

and uses an application that is CAPI-based they may be presented with a dialog asking them to

insert a smart card. This is usually fixed when the CSPid system tray application starts. In cases

where it is not automatically fixed, the user must run the Register with Applications command

which will remove stranded entries.

When used over Windows RDP (remote desktop protocol) and certain other remote desktop

protocols if CSPid is not installed on the client (i.e. local) system operations attempting to utilize

a key in CSPid will fail. Typically, the user will be prompted to insert a smart card or told that the

smart card service is disabled. To resolve this issue, either install CSPid on the local system or

install the CSPid Smart Card Reader driver on the local system (in cases where the local system

doesn't need the full CSPid package).

7.2.2. Netscape 4.x or higher w/o PSM

Currently none.

7.2.3. Netscape 4.75 or higher w/PSM 1.4

Importing a certificate (as part of a PKI enrollment process) and then immediately using the

personal security manager (PSM) to view available certificates causes it to crash, requiring the

user to restart Netscape.

7.2.4. Internet Explorer

When running in Internet Explorer's "protected mode" CSPid is unable to make changes to disk. If

password caching is enabled and the first password prompt occurs in Internet Explorer when in

"protected mode" the password will not be cached.

7.2.5. Microsoft Outlook

Currently none.


65

8. Net-Centric Applications

CSPid can be deployed in conjunction with DAS and your company's existing security-enabled

applications (e.g., Microsoft Outlook S/MIME) to support enhanced security protocols, such as role-based

signing and decryption that were previously impossible to implement with conventional PKI-based tools.

In fact, the combination of CSPid and DAS allows you to leverage security tools based on today's

standards to provide functionality that some vendors would have you believe can only be obtained using

more recent schemes such as identity-based encryption (IBE) for which standards have not yet been

established.

The following scenarios illustrate four of the possible applications of CSPid/DAS in a 'net-centric'

environment:

8.1. Role-Based Authentication

PROBLEM: A group of watch officers are to sign messages that recipients can validate as having been

issued by some authorized group member. (In this scenario, recipients don't care which individual signed

a given message, they only need assurance that an authorized member of the group did so.)

SOLUTION SETUP: An asymmetric key pair is generated for the watch officer role, a special role

certificate is issued on the public component, and the role private key is put under the control of a DAS

server that is configured to perform signing operations with that key only for individuals on the active

duty roster for this role. The role certificate is loaded into the CSPid clients on all watch officer systems

and CSPid is registered with all security-enabled client applications on those systems. (In fact, all watch

officer logins may be hosted on a single system.)

OPERATION: When a watch officer attempts to sign an outgoing message using the role credentials with

any security-enabled client application on his system, his CSPid client automatically establishes a TLS-

secured connection (with client authentication) to the appropriate DAS server where the signature

computation is performed using its protected role private key. As usual, recipients use the watch officer

role certificate to validate all signed messages.

DAS server

(watch officer private key

and duty roster/ACL)

HSM

(optional)

CSPid

(role certificate)

net-centric

environment

(TLS w/ client auth.) duty roster

watch officer

role

watch officers

1 Application requests role signature

2 CSPid contacts server w/ client credentials

3 Server authenticates client, returns signature to CSPid

3 CSPid returns signature to application as if it was signed locally

Figure 18: Watch Officers Sign Messages with Shared Role Key on DAS Server

RESULT: Recipients can be assured that an authorized watch officer issued each validly-signed message

while the DAS server’s audit trail keeps track of the identities of the individuals who actually performed


66

each signing operation. Since the watch officer private key is securely protected by the DAS server

(possibly on an independent HSM), at no time is it available for compromise even by authorized signers.

8.2. Role-Based Encryption

PROBLEM: Documents and e-mail messages encrypted for a particular commander (e.g., CMDR

CENTCOM) must be available (without re-keying) to his successor in that role.

SOLUTION SETUP: An asymmetric key pair is generated for the commander, a special role certificate is

issued on the public component, and the private component is put under the control of a DAS server that

is configured to perform decrypt operations with that key only for the active commander. The certificate

is loaded into the CSPid client on the commander's system and CSPid is registered with all security-

enabled client applications. All documents and e-mail messages are encrypted for the commander using

the role certificate.

OPERATION: When the commander attempts to decrypt a document or e-mail message encrypted with

the role certificate, the CSPid client on his system automatically establishes a TLS-secured connection

(with client authentication) to the appropriate DAS server where the required asymmetric key unwrapping

operation is performed using its protected private key. When the commander is replaced, an administrator

need only update the access control list (ACL) for the corresponding DAS account.

DAS server

(role private key)

HSM

(optional)

net-centric

environment

(TLS w/ client auth.)CSP

id

(role certificate)

Commander

1 Application requests unwrapping of session key


3Server authenticates client, returns to CSP

id session key

rewrapped with client certificate

3CSP

id unwraps session key (using client private key) and returns it to

application as if it was unwrapped locally

Figure 19: Commander Decrypts Documents Using Role Key on DAS Server

RESULT: All sensitive documents and e-mail messages remain encrypted under a single certificate and

can only be decrypted by the current commander after strong authentication using his current individual

credentials (e.g., CAC card). No re-keying is necessary as different individuals inherit the commander

role and the critical private key is securely stored on a DAS server or, even more securely, on an attached

HSM. The DAS server's audit trail provides a centralized record of all decrypt operations and, optionally,

of the true identity of the individual who performed them.

8.3. Confidentiality within a Community of Interest

PROBLEM: Sensitive documents must be security shared among the members of a community of interest

(CoI) with a dynamic membership roster.


67

SOLUTION SETUP: An asymmetric key pair is generated for the CoI, a special group certificate is

issued on the public component, and the private component is put under the control of a DAS server that

is configured to perform decrypt operations with that key only for active CoI members. The certificate is

loaded into the CSPid client on the systems of all CoI members, and CSPid is registered with all security-

enabled client applications on those systems. All sensitive documents and e-mail messages intended for

the CoI are encrypted under the group certificate.

OPERATION: When a CoI member attempts to decrypt a document or e-mail message encrypted with

the group certificate, the CSPid client on his system automatically establishes a TLS-secured connection

(with client authentication) to the appropriate DAS server where the required asymmetric key unwrapping

operation is performed using its protected private key. When the CoI membership roster changes, an

administrator need only update the access control list (ACL) for the corresponding DAS account.

DAS server

(CoI private key and

membership roster ACL)

HSM

(optional)

CSPid

(CoI certificate)

net-centric

environment

(TLS w/ client auth.)CoI member

Co1 Application requests unwrapping of session key


3Server authenticates client, returns to CSP

id session key

rewrapped with client certificate

3CSP

id unwraps session key (using client private key) and returns it to

application as if it was unwrapped locally

membership

roster

Figure 20: CoI Members Decrypt Documents Using CoI Key on DAS Server

RESULT: All sensitive documents and e-mail messages remain encrypted under a single certificate and

can only be decrypted by active CoI members after strong authentication using their current individual

credentials. No re-keying is necessary as changes are made to the CoI membership roster. The critical

private key is securely stored on a DAS server or, even more securely, on an attached HSM. The DAS

server's audit trail provides a centralized record of all decrypt operations and, optionally, of the identities

of the individual CoI members who performed them.

8.4. Expanded Storage and Enhanced Security for Private Keys

PROBLEM: Key rollover results in a new certificate and private key being loaded onto a high-ranking

officer's smartcard where limited storage causes an older certificate and private key to be displaced.

Suddenly the officer has lost the ability to decrypt documents and e-mail messages encrypted with the

older credentials.

SOLUTION SETUP: Load the officer's entire key history into an account on a DAS server and install his

certificate history into a CSPid client on his own system.

OPERATION: Once CSPid has been registered with all security-enabled applications on the officer's

system, they will use his smartcard for cryptographic operations requiring his latest private key but

transparently establish a TLS-secured CSPid/DAS connection when access to an older private key is

required. Going forward, key rollover simply involves moving the officer's retiring certificate to

CSPid and the corresponding key pair to his account on the DAS server.


68

DAS server

(old private keys)

Officer

CAC

(newest keys)HSM

(optional)

CSPid

(old certificates)

net-centric

environment

(TLS w/ client auth.)

1 Application requests crypto operation using old private key

2 CSPid contacts server w/ current client credentials

3

Server authenticates client, performs private key operation

and returns to CSPid

result encrypted under user’s current

credentials

3CSP

id applies user’s current private key to unwrap result and returns it

to application as if old private key operation was performed locally

Figure 21: Officer Retains Access to His Entire Key History

RESULT: By relying on the virtually unlimited storage of the DAS server (and the potentially greater

security of its key store which may be located on an HSM), an (on-line) user can maintain use of his

entire key history. He thereby retains access to all encrypted documents and e-mail messages ever sent to

him in a completely seamless manner.

8.5. Brokered Authentication - “Need-to-Know” Control Over Sensitive Resources

PROBLEM: Access to a sensitive resource needs to be controlled with a set of finely-tuned access control

rules that might vary over time.

SOLUTION SETUP: Generate a "resource key pair," obtain a "resource certificate" on the public key,

and distribute it to all users who might require access to that resource; ensure that the certificate is loaded

into the CSPid client on each user's system (this step may be automated in several ways). Create a DAS

account for the resource and install its certificate and private key along with a custom "authenticator" that

implements the access control rules. (An authenticator is a simple Java function that implements the

access control predicate: it takes as input the user's credentials and returns a Boolean response indicating

whether the user should be allowed or denied access to the requested resource. Sample predicates based

on LDAP group membership, certificate extension and/or attribute values, etc., can be provided.)

OPERATION: When an application attempts to access the sensitive resource, CSPid will be asked to

provide authentication (which normally takes the form of a "proof of possession" of the resource private

key — typically a digital signature). CSPid will then attempt to obtain this signature from the appropriate

DAS server as illustrated in the following diagram:

DAS server

(Resource private key and

custom “authenticator”)

HSM

(optional)

CSPid

(resource certificate)

net-centric

environment

(TLS w/ client auth.)

User

1 Application requests authentication for resource access


3If server authenticates client, resource authentication result is

returned to CSPid

3If available, CSP

id provides authentication to application, otherwise

access fails.

Figure 22: A DAS Server Used to Impose Strong "Need-to-Know" Controls over Sensitive Resources


69

Only if the user's credentials pass the custom authenticator's test will the DAS server provide the required

signature for resource access.

RESULT: Together, CSPid and DAS provide assurance that the sensitive resource is securely protected.

Maintenance of the entire system is simplified by reliance on a custom "authenticator" that may be easily

modified whenever access control policies change. A single DAS server can be used to protect an

unlimited number of sensitive resources in this way.


70

9. References

CSPid API CSPid API Developer’s Guide, v 2.1.0, Information Security Corp., April 2010.

CSPid Test Plan CSPid Test Plan, v 2.1.0, Information Security Corp., April 2010.

FIPS 46-3 FIPS 46-3: Data Encryption Standard (DES), NIST, October 25, 1999. Archived

May 19, 2005. http://csrc.nist.gov/publications/PubsFIPSArch.html

FIPS 180-2 FIPS 180-2: Secure Hash Standard, NIST,. August 1, 2002. Archived October

2008 and superseded by FIPS 180-3.

http://csrc.nist.gov/publications/PubsFIPS.html

FIPS 197 FIPS 197: Advanced Encryption Standard (AES), NIST, November 26, 2001.


Java PKCS #11 Java™ PKCS #11 Reference Guide, Sun Microsystems, May 2004.


Java SSL/TLS Java™ Secure Socket Extension (JSSE) Reference Guide, Sun Microsystems, 2004.

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

MODUTIL Using the Security Module Database Tool (modutil), Mozilla.org

http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html

MS SCMD Smart Card Minidriver Specification for Windows Base Cryptographic Service

Provider (Base CSP) and Smart Card Key Storage Provider (KDP) v 5.05,

Microsoft Corp., October 2006.

http://www.microsoft.com/whdc/device/input/smartcard/sc-minidriver.mspx

NIST AES Key Wrap

AES Key Wrap Specification, NIST, November 2001.

http://csrc.nist.gov/groups/ST/toolkit/documents/kms/AES_key_wrap.pdf

PCSC Basko, Dmitry, Development of PC/SC compatible driver for WINDOWS (MS

VC++.NET), 2003. http://www.bds.dogma.net/pc_sc.htm

PKCS #5 Password-Based Encryption Standard. v2.0, RSA Laboratories, March 25, 1999.

http://www.rsasecurity.com/rsalabs/node.asp?id=2127

PKCS #8 Private-Key Information Syntax Standard. v1.2, RSA Laboratories , November

1993. http://www.rsasecurity.com/rsalabs/node.asp?id=2130

PKCS #11 Cryptographic Token Interface Standard. v2.20, RSA Laboratories, June 2004.


PKCS #12 Personal Information Exchange Syntax Standard. v1.0, RSA Laboratories, June


PKCS #15 Cryptographic Token Information Syntax Standard v1.1, RSA Laboratories, June


RFC 3211 Gutmann, P., RFC 3211: Password-based Encryption for CMS, University of

Auckland, December 2001. http://tools.ietf.org/html/rfc3211

http://csrc.nist.gov/publications/PubsFIPSArch.html




http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html

http://www.microsoft.com/whdc/device/input/smartcard/sc-minidriver.mspx

http://csrc.nist.gov/groups/ST/toolkit/documents/kms/AES_key_wrap.pdf

http://www.bds.dogma.net/pc_sc.htm






http://tools.ietf.org/html/rfc3211


71

RFC 3394 Schaad, J., and R. Housley, RFC 3394: Advanced Encryption Standard (AES) Key

Wrap Algorithm, Soaring Hawk Consulting and RSA Laboratories, September

2002. http://tools.ietf.org/html/rfc3394

RFC 3565 Schaad, J., RFC 3565: Use of the Advanced Encryption Standard (AES) Encryption

Algorithm in Cryptographic Message Syntax (CMS), Soaring Hawk Consulting,

July 2003. http://tools.ietf.org/html/rfc3565

RFC 3852 Housley, R., RFC 3852: Cryptographic Message Syntax (CMS), Vigil Security,

July 2004. http://tools.ietf.org/html/rfc3852

RFC 4231 Nystrom, M., RFC 4231: Identifiers and Test Vectors for HMAC-SHA-224, HMAC-

SHA-256, HMAC-SHA-384, and HMAC-SHA-512, RSA Security, December 2005.


Tomcat The Apache Tomcat 5.5 Servlet/JSP Container SSL Configuration HOW-TO, The

Apache Software Foundation, 1999-2006. http://tomcat.apache.org/tomcat-5.5-

doc/ssl-howto.html

X.680 Information Technology – Abstract Syntax Notation One (ASN.1): Specification of

Basic Notation, ITU-T, July 2002.

X.690 Information Technology – ASN.1 Encoding Rules: Specification of Basic Encoding

Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules

(DER), ITU-T, July 2002.





http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html


72

10. Appendix A: Default Configuration File

The default configuration file as provided to administrators for modification prior to installation.

#########################################################################

# CSPID SAMPLE CONFIGURATION FILE

# Version 3.0.1

# Copyright (c) 2007-2013 Information Security Corp. All rights reserved.

#

#########################################################################

#

# Edit this file to configure how the CSPid token functions.

#

# Windows:

# This file must be located in the same folder as the CSPid

# library (CSPid.dll or libcspid.so).

#

# UNIX:

# The CSPid library searches for this file in this order

# a. /etc/cspid.cfg

# b. /usr/etc/cspid.cfg

# c. /opt/cspid/cspid.cfg

# d. $CSPidInstDir/cspid where CSPidInstDir is an environment

# variable specifying the location of the configuration file.

#

# File Format:

# a. Any line beginning with # or ; is considered a comment.

# b. Blank lines are ignored.

# c. All other lines should be Option=Value pair.

# d. Where noted, you may continue an option on the next line by

# using nothing for the Option (i.e. simply "=Value")

#

#########################################################################

########################################################################

# CSP SETTINGS

#########################################################################

#

# P15URL specifies the path and filename to use for the PKCS#15 PDU.

;P15URL=%APPDATA%\CSPid\cspid.p15

#

# USE_OLD_CHANGE_NOTIFY_METHOD specifies that the library should use the

# older "load and compare" method of PDU change detection logic rather than

# the new (much faster) method or relying on Windows change notifications.

# This is a Windows-only option.

# 0 (no)

# 1 (yes)

;USE_OLD_CHANGE_NOTIFY_METHOD=0

#

# AUTO_INIT specifies whether or not the system tray application will prompt

# the user to set a password and configure a key store. If set to 0, the

# system tray application will run in reduced functionality mode until this

# option is changed or the PDU is initialized with the cspid_cli tool AND

# the system tray application is restarted.

# 0 (no)

# 1 (yes)

;AUTO_INIT=1

#

# VIRTUALIZE_GP_ISSUERS specifies whether or not certificates in the Windows

# Group Policy certificate stores will be visible through CSPid to PKCS#11

# applications. Enabling this is an efficient way to manage trust anchors in

# Netscape/Firefox/Thunderbird.

# 0 (no)

# 1 (yes)

#

;VIRTUALIZE_GP_ISSUERS=0


73

#

# READONLY specifies that only the CSPid tools can write to the PKCS#15

# PDU. This prevents Firefox, Internet Explorer, and other applications

# from generating keys or otherwise manipulating the PDU.

# 0 (no)

# 1 (yes)

;READONLY=0

#

# ENFORCE_CKA_EXTRACTABLE specifies that CSPid should prevent the export

# of any keys marked CKA_EXTRACTABLE=FALSE. This attribute can be set

# using the cspid_cli's --exportable-no option during either private key

# import (--import) or key generation (--gen-p10). Note, previous versions

# of CSPid marked all keys CKA_EXTRACTABLE=FALSE. Thus is you are upgrading

# and set this value to 1, your users will not be able to export their

# keys.

# 0 (no)

# 1 (yes)

;ENFORCE_CKA_EXTRACTABLE=0

#

# ECCDHSS_EXTRACTABLE specifies whether or not CSPid should allow the

# ECDH result to be exported (extracted) from the library. In most cases

# this value should remain 0.

# 0 (no)

# 1 (yes)

;ECCDHSS_EXTRACTABLE=0

#

# BL<TAG> specifies a blacklist for all certificates marked with TAG.

# TAG can be specified during import using the cspid_cli --scope-blacklist

# option or using the CSPid Manager edit attribute option.

# For example, BLVPN=firefox.exe will prevent any certificate tagged VPN

# from appearing in Firefox. BLNOCAPI=CAPI will prevent any certificate

# tagged NOCAPI from appearing in CAPI-based applications.

#

# WL<TAG> specifies a whitelist for all certificates marked with TAG.

# TAG can be specified during import using the cspid_cli --scope-whitelist

# option or using the CSPid Manager edit attribute option.

# For example, WLVPN=firefox.exe allow certificates tagged VPN

# to only appear in Firefox. WLCAPIONLY=CAPI will allow certificates tagged

# CAPIONLY to only appear in CAPI applications (they will not appear in

# Firefox, etc.).

#

#########################################################################

#########################################################################

# LOG SETTINGS

#########################################################################

#

# LOGLEVEL specifies an integer representing the logging level to use.

# 0 (critical information only)

# 1 (information)

# 2 (debug)

# Debug and information entries appear only in the file specified by LOGFILE.

# Critical information entries are always logged to the system event log, and

# optionally to the file specified by LOGFILE.

;LOGLEVEL=0

#

# LOGFILE specifies path and filename in which to log information in

# addition to the system event log.

;LOGFILE=

#

# LOGFILEDAILY specifies whether or not the log file name (specified above)

# should be pre-pended with the day of creation. This prevents the logfile

# from growing too large.

# 0 (no)

# 1 (yes)

;LOGFILEDAILY=0

#

# APPLOGFILE is the location where CSPid stores the list of

# applications that have called the C_Initialize function. The default

# is to disable this feature by not specifying a filename.


74

;APPLOGFILE=

#########################################################################

#########################################################################

# PASSWORD SETTINGS

#########################################################################

#

# PWCACHE specifies whether or not password caching is enabled.

# 0 (no)

# 1 (per-session)

# 2 (permanently - Windows Only)

;PWCACHE=0

#

# PWCACHE_CLEAR_ON_BAD_PIN specifies the threshold of incorrect password attempts

# which if exceeded will result in the clearing of the cached password.

# 0 (no)

# >=1 (yes, after the number of attempts specified)

;PWCACHE_CLEAR_ON_BAD_PIN=1

#

# PWPROMPT_AT_STARTUP specifies whether or not the system tray application

# will prompt the user for a password when they log into Windows (or it is

# started on UNIX-like operating systems. Useful when combined with PWCACHE=1).

# 0 (no)

# 1 (yes)

;PWPROMPT_AT_STARTUP=0

#

# PWREQNUM specifies whether or not user created passwords must include

# a number.

# 0 (no)

# 1 (yes, one of [0-9] must be included)

;PWREQNUM=0

#

# PWREQALPHA specifies whether or not user created passwords must

# include an alpha character.

# 0 (no)

# 1 (yes, one of [a-z][A-Z] must be included)

;PWREQALPHA=0

#

# PWREQPUNC specifies whether or not user created passwords must

# included a punctuation mark.

# 0 (no)

# 1 (yes, one of [.,?!;:'"] must be included)

;PWREQPUNC=0

#

# PWREQSPEC specifies whether or not user created passwords must

# include a special character.

# 0 (no)

# 1 (yes, one of [@#$%^&*()+=-_/><\|[]{}`~] must be included)

;PWREQSPEC=0

#

# PWREQMIXEDCASE specifies whether or not user created passwords

# must include both lower and upper case characters

# 0 (no)

# 1 (yes)

;PWREQMIXEDCASE=0

#

# PWMINLEN specifies the minimum length of user created passwords.

# Applies to both password quality settings.

;PWMINLEN=1

#

# PWCHANGE specifies the time between required user password changes.

# During the 10 days prior to mandatory password change the user will

# be offered the chance to changed their password when the CSPid

# Manager starts.


;PWCHANGE=0

#

# PWHISTORY specifies the number of unique passwords required before


75

# a user can re-use a previous password.


;PWHISTORY=0

#

# PWTIMEOUT specifies the password timeout value in seconds. After

# X seconds of inactivity the user will be required to re-enter their

# CSPid password. Please see the CSPid user's guide for complete

# implementation details and guidance.

# -1 = never

# nonzero = seconds of inactivity after which PIN re-entry is required


;PWTIMEOUT=-1

#

# RSTPWAGENTS specifies one or more password reset agent certificates

# as a base64-encoded PKCS#7 PDU. The cspid_cli utility's --p7tob64

# option will convert a PKCS#7 generated by another application into

# the form expected by this configuration file. The basic rules are:

# a. No line can exceed 500 characters in length

# b. Continuation lines must begin with a = character

#

;RSTPWAGENTS=First line of PDU

;=Second line of PDU

;=Third line of PDU

#

# RSTPWMINLEN specifies the number of random bytes to generate when

# creating the reset password. The reset password the user must enter

# will be 1/3 bigger than this value. The default value is 10, the

# minimum value is 8. This value should be at least as big as

# the PWMINLEN value.

;RSTPWMINLEN=10

#

# RSTPW_MECHANISM specifies the technique that CSPid's system tray

# application will use to help the user through password reset.

# 0 (e-mail, the normal mechanism available prior to the 2.4.3 release)

# 1 (use RSTPW_CMD, see below)

# 2 (prompt the user to save the reset file)

;RSTPW_MECHANISM=0

#

# RSTPW_MESSAGE specifies a message to display to the user before

# performing the password reset mechanism specified in RSTPW_MECHANISM

;RSTPW_MESSAGE=

#

# RSTPW_CMD one or more commands to run when the user initiates password

# reset. %1 in the command will be replaced with the path/filename of the

# password reset file.

;RSTPW_CMD=

#

# RSTPW_PROMPT_RESET specifies whether or not the user will be prompted to

# change their password at the end of the reset process.

# 0 (no)

# 1 (yes)

;RSTPW_PROMPT_RESET=1

#

# PW2ENABLED enables advanced password quality logic in place of some of

# the original password quality requirements listed above (PWREQNUM, PWREQALPHA,

# PWREQPUNC, PWREQSPEC, and PWREQMIXEDCASE are replaced by PW2MASK and the

# additional PW2REQCLASSCHG option applies) while still enforcing cache, length,

# reset, and periodic change requirements.

# 0 (no)

# 1 (yes)

;PW2ENABLED=0

#

# PW2MASK specifies the password quality requirements if PW2ENABLED is

# set to 1. This is a | delimited string of password classes:

# U = upper case character required

# L = lower case character required

# N = number required

# P = punctuation required

# S = special character required

# u = upper case character forbidden


76

# l = lower case character forbidden

# n = number forbidden

# p = punctuation forbidden

# s = special character forbidden

# These can be combined to produce password quality requirements

# that require the password to be mixed case and contain either a number

# or punctuation: ULN|ULP

# For example: ULNP|ULNS|ULSP|Nulsp

# would accept passwords that matched one of:

# mixed case with a number and a punctuation symbol

# mixed case with a number and a special character

# mixed case with a special character a punctuation symbol

# only numbers

;PW2MASK=

#

# PW2REQCLASSCHG specifies the maximum number of consecutive characters

# allowed from a character class.

# 0 (disabled)

# > 0

# For example, if PW2REQCLASSCHG is 4 then no password can contain more

# than 4 consecutive: upper case characters, lower case characters,

# numbers, punctuation marks, or special characters. So, ABCDE1234 would

# be invalid, but AbCDE1234 would be accepted.

;PW2REQCLASSCHG=0

#########################################################################

#########################################################################

# NETSCAPE/MOZILLA SETTINGS

#########################################################################

#

# NSSEARCHPATH specifies one or more semi-colon delimited paths

# that CSPid should search when finding Netscape-based application

# profiles during installation or when the user selects Register with

# Applications. A common addition is %ProgramFiles%\Netscape

#

;NSSEARCHPATH=%APPDATA%\Mozilla;%APPDATA%\Thunderbird

#

# NSCREATETRUST specifies whether or not to CKO_NETSCAPE_TRUST

# objects are created for certificates stored by CSPid.

# 0 (no)

# 1 (yes)

# Setting this value to 1 will cause most Netscape-based applications

# to trust any certificate stored by CSPid (including roots).

;NSCREATETRUST=1

#########################################################################

#########################################################################

# IMPORT/EXPORT SETTINGS

#########################################################################

#

# CAIMPORT specifies whether or not CSPid should store issuer

# certificates.

# 0 (Never import CA certificates via the CSPid User Interface.

# Effectively disables the import of anything but PKCS#12 files.)

# 1 (Allow users to import CA certificates via the CSPid user

# interface, but prompt for approval of root certificates.)

# 2 (Allow users to import CA certificates via the CSPid user

# interface without any prompting (CAPI prompts *may* appear).)

# Note, this setting affects PKCS#12 import and export with regard to

# prompting only.

;CAIMPORT=1

#

# P12EXPORT specifies whether or not users can export their

# private keys from CSPid as PKCS#12 formatted files.

# 0 (no)

# 1 (yes)


77

;P12EXPORT=1

#

# P12EXPORTREQUIRESNEWPIN specifies whether or not users can use their

# CSPid password as the password for exported private keys.

# 0 (yes) - users can use the same password

# 1 (no) - users must use a different password

#

;P12EXPORTREQUIRESNEWPIN=0

#

# P12IMPORTCA specifies whether or not CSPid should import issuer

# certificates it finds when importing PKCS#12 files.

# 0 (no)

# 1 (yes)

# Note, setting this value to 1 causes the CSPid user interface to

# import any issuer certificates it finds in the PKCS#12 during import

# if allowed by the CA Import Settings. During export, if this value is

# set to 1, issuing certificates will be included in the exported

# PKCS#12 if available.

;P12IMPORTCA=1

#

# P12IMPORTREGAPPS specifies whether or not the CSPid UI should run

# the register with applications event when a PKCS#12 file is imported

# from the CSPid UI's command line.

# 0 (no)

# non-zero = how recently the certificate must have been issued in hours

# (i.e. 24 means if the imported certificate was issued within

# the last 24 hours run the event, otherwise do not).

;P12IMPORTREGAPPS=0

#

# P12CLIIMPDELONMATCH specifies the string to search for when importing

# a PKCS#12 file using the CSPid UI's command line. If the string is

# found in the path or name of the imported file it will be deleted

# after it has been successfully imported. Common values are Temp (for

# Firefox) and Temporary (for Internet Explorer).

;P12CLIIMPDELONMATCH=

#

# IGNORE_ISSUERS_IN_GP specifies whether or not CSPid should install

# certificates into MS CAPI if they are already in a group policy

# provided store in MS CAPI.

# 0 (no)

# 1 (yes)

# Note: If the group policy is changed after CSPid installs the certificate

# users may see 2 certificates for a given issuer because group policy

# is adding a duplicate value.

;IGNORE_ISSUERS_IN_GP=1

#########################################################################

#########################################################################

# EVENT HANDLING

#########################################################################

#

# ENROLLURL specifies a URL that should be opened by the CSPid Manager

# when it starts and no certificates with private keys can be found.

# This value is superseded by the ENROLLCMD option if present.

;ENROLLURL=http://www.infoseccorp.com/ca/silver/contents.htm

#

# ENROLLURL_MESSAGE specifies the text to display to the user prior to

# opening the browser to the enrollment URL specified in ENROLLURL.

;ENROLLURL_MESSAGE=

#

# ENROLLCMD specifies one or more commands (see note below) that should

# be executed when the CSPid Manager starts and no certificates with

# private keys can be found. This value supersedes the ENROLLURL

# option.

;ENROLLCMD=

#

# ENROLLCAPI causes CSPid to move all credentials that can be exported

# from the user's Microsoft CAPI "Personal" store to CSPid when the


78

# CSPid manager starts and no credentials are found. This value

# supersedes both the ENROLLURL and ENROLLCMD values. The currently

# selected EFS certificate and any non-exportable certificates are not

# moved.

# 0 (disabled)

# 1 (enabled)

;ENROLLCAPI=0

#

# ENROLLCAPI_MESSAGE specifies the text to display to the user prior to

# migrating their keys from CAPI/CNG on initial startup.

;ENROLLCAPI_MESSAGE=

#

# NEWSIGCERTCMD specifies one or more commands (see note below) that

# should be executed when a new signing certificate is stored in CSPid.

# The following must be true for these commands to be executed:

# a. The certificate must have a matching private key already stored

# by CSPid.

# b. The program creating or loading the certificate object into

# CSPid cannot be the CSPid Manager or the CSPid Command Line.

# Therefore, these are most useful when you wish to execute one or more

# commands during web enrollment. For example, you can use these

# options with ISC's Credential Management Utility to download and

# install a PKCS#12 file using a newly issued (and thus installed)

# signing certificate. For complete details please see the CSPid User's

# Guide.

;NEWSIGCERTCMD=

#

# NEWENCCERTCMD specifies one or more commands that should be executed

# when a new encryption certificate is stored in CSPid. Please see

# NEWSIGCERTCMD for details.

;NEWENCCERTCMD=

#

# DASNEWSIGCERTCMD specifies one or more commands (see note below) that

# should be executed when a new DAS-enabled signing certificate is stored

# in CSPid. The following must be true for these commands to be executed:

# a. DAS must be enabled (see below)

# b. The program creating or loading the certificate object into

# CSPid cannot be the CSPid Manager or the CSPid Command Line.

;DASNEWSIGCERTCMD=

#

# DASNEWENCCERTCMD specifies one or more commands (see note below) that

# should be executed when a new DAS-enabled encryption certificate is

# stored in CSPid. Please see DASNEWSIGCERTCMD for details.

;DASNEWENCCERTCMD=

#

# RENEWURL specifies the URL to open in the default web browser

# when the user selects Renew My Certificate in the CSPid Manager or

# when the CSPid Manager determines that renewal is required based on

# the RENEWDAYS option. This value is superseded by the RENEWCMD

# option. The CSPid determines whether renewal is required as follows:

# a. If there is at least one signing certificate and no signing

# certificate will be valid in RENEWDAYS.

# b. or if there is a least one encrypting certificate and no

# encrypting certificate will be valid in RENEWDAYS.

;RENEWURL=http://www.infoseccorp.com/ca/silver/contents.htm

#

# RENEWURL_MESSAGE specifies the text to display to the user prior to

# opening the browser to the enrollment URL specified in RENEWURL. This

# text is NOT displayed if the user initiates the action through the

# CSPid Manager.

;RENEWURL_MESSAGE=

#

# RENEWCMD specifies one or more commands (see note below) that should

# be executed when the CSPid Manager starts and finds that either no

# signing or no encrypting certificates will be valid in RENEWDAYS.

# This value supersedes the RENEWURL option. See RENEWURL for more

# information.

;RENEWCMD=

#

# RENEWDAYS specifies the number of days before certificate expiration


79

# that should be considered when deciding whether or not certificate

# renewal should execute.

;RENEWDAYS=

#

# REGAPPSCMD specifies one or more additional commands (see note below)

# that should be executed when the user selects Register with

# Applications in the CSPid Manager.

;REGAPPSCMD=

#

# ALLCERTSISSUERS modifies the treatment of certificates installed that

# are not associated with private keys. If enabled (1) all certificates

# installed without an associated private key will be treated as issuer

# certificates and installed in the Windows "CA" (Intermediate Certification

# Authorities) store. If disabled (0) any certificate without a private

# key that does not include a basic constraints extension identifying the

# type will be installed in the Windows "Other" (other people) store.

;ALLCERTSISSUERS=0

#

# STARTUPCMD specifies one or more commands that should be executed

# when the user starts the CSPid Manager.

;STARTUPCMD=

#########################################################################

#########################################################################

# DAS OPTIONS

#########################################################################

#

#

# DASENABLE turns on DAS support. If set to a CSPid DAS Enablement

# serial number CSPid will assert to applications that it holds the

# private key matching any DAS-enabled certificate imported into CSPid.

;DASENABLE=0

#

# DASSERVER specifies one or more DAS server URIs that should be used

# when performing DAS unwrap operations. Servers are tried in order

# listed.

;DASSERVER=https://192.168.0.85:6444/das/cois/

#

# DASSIGSERVER specifies one or more DAS server URLS that should be

# used when performing DAS signature operations. Servers are tried

# in order listed.

;DASSIGSERVER=https://192.168.0.85:6444/das/cois/

#

# DASTIMEOUT specifies the number of seconds to wait for a connection

# to a DAS server for a signature or unwrap request before aborting the

# attempting and trying the next server.

;DASTIMEOUT=5

#

# DASNUMREDIR specifies the maximum number times that CSPid will

# perform URL redirection when the contacted DAS server returns CoI

# not found with a list of URLs.

# -1 (no limit)

# 0 (no redirection allowed)

# >0 (limited to the value specified)

;DASNUMREDIR=-1

#

# DAS_SIGN_ISSUER_ID specifies either the Issuer DN or the AKI

# hash value that is preferred when auto-selecting a signing

# certificate.

;DAS_SIGN_ISSUER_ID=

#

# DAS_ENC_ISSUER_ID specifies either the Issuer DN or the AKI

# hash value that is preferred when auto-selecting an encryption

# certificate.

;DAS_ENC_ISSUER_ID=

#

# DAS_ENC_LABEL_ID specifies a keyword that the label of the

# preferred encryption certificate will contain. For CACs it's Encryption

;DAS_ENC_LABEL_ID=


80

#

# DAS_SIGN_LABEL_ID specifies a keyword that the label of the

# preferred signature certificate will contain. For CACs it's Signature

;DAS_SIGN_LABEL_ID=

#

# EXT_P11_LIB specifies the PKCS#11 library path and name to use when

# authenticating to a DAS server and unwrapping the server's response.

# the default value is to use CSPid.

;EXT_P11_LIB=C:\Program Files\CSPid\CSPid.dll

#

# EXT_P11_LIB64 specifies the 64-bit PKCS#11 library path and name to use when

# authenticating to a DAS server and unwrapping the server's response.

# the default value is to use CSPid.

;EXT_P11_LIB64=C:\Program Files\CSPid\CSPidx64.dll

#

# EXT_P11_LABEL specifies the PKCS#11 label to use when CSPid communicates

# with a PKCS#11 device. If present, CSPid will only use a slot if the

# token present in that slot matches this value. If blank, CSPid will use

# the first slot that contains a token.

;EXT_P11_LABEL=ISC CSPid

#

# EXT_P11_NAME specifies the name to display in the password dialog

# when CSPid prompts the user for the PIN to their smart card. If

# blank it will use the card's label.

;EXT_P11_NAME=ISC CSPid

#########################################################################

#########################################################################

# CONFIGURATION FILE UPDATE OPTIONS

#########################################################################

#

# CFGUPDATENAME specifies the name of this "policy". This is displayed

# in the about dialog of the application for informational purposes.

;CFGUPDATENAME=Default

#

# CFGUPDATELOCALSTORE specifies the location in which CSPid should store

# updated policies for the user.

;CFGUPDATELOCALSTORE=%APPDATA%\cspid\policies

#

# CFGUPDATEURL specifies the server and path that stores updated, digitally

# signed configuration files. Either the CFGUPDATEDN or the user's DN will

# be appended to this value along with a platform specific filename to

# specify the file to download. For example,

#

# http://www.infoseccorp.com:8080/isc_policies would become

# http://www.infoseccorp.com:8080/isc_policies/O=ISC/C=US/cspid_win.p7m

;CFGUPDATEURL=

#

# CFGUPDATETIMEOUT specifies the number of seconds that CSPid should wait

# before trying the next potential URL for update files.

;CFGUPDATETIMEOUT=5

#

# CFGUPDATEDN specifies this machine's distinguished name for finding

# updated configuration files. This DN is used if CFGUPDATEUSERDN is 0 or

# if the software is unable to determine the user's DN.

;CFGUPDATEDN=

#

# CFGUPDATEUSEUSERDN specifies whether or not CSPid should attempt to determine

# and use the user's DN for downloading updated configuration files.

# 0 (no)

# 1 (yes)

;CFGUPDATEUSEUSERDN=0

#

# CFGUPDATEPERIOD specifies how frequently CSPid's system tray application

# should perform the configuration file update check.

# 0 (updates disabled)

# >0 (number of days between update checks)

;CFGUPDATEPERIOD=0

#

# CFGUPDATETRUSTMODEL specifies how to trust the policy server's SSL/TLS


81

# server certificate.

# 0 Windows Path Validation, use Windows' built in path validation

# 1 CFGUPDATETRUSTANCHOR, the certificate path must be valid and the

# root must the certificate specified in the CFGTRUSTANCHOR option

# 2 CFGUPDATETRUSTDN, the certificate path must be valid and the issuer

# RDN of the highest issuing certificate returned by the server must

# match the value in the CFGUPDATETRUSTDN option

# 3 Updates disabled

;CFGUPDATETRUSTMODEL=3

#

# CFGUPDATETRUSTANCHOR specifies a single trust anchor to which the policy

# server's SSL/TLS server certificate chains. If the policy server's

# certificate path is valid and ends in this certificate the policy will be

# downloaded and treated as authentic. This is a base64-encoded DER

# certificate on a single line.

;CFGUPDATETRUSTANCHOR=

#

# CFGUPDATETRUSTDN specifies issuer RDN that must be in the highest

# issuing certificate returned by the server.

;CFGUPDATETRUSTDN=

#

#########################################################################

#########################################################################

# INSTALLATION OPTIONS

#########################################################################

#

# SECURE specifies whether or not the installation program should

# install this configuration file in a tamper evident manner.

# 0 (no)

# 1 (yes)

# Note, if this is selected and the user tampers with the configuration

# file an error dialog will be displayed and the user's keys will be

# unavailable until the configuration file is restored to its original

# state. This is a Windows-only option and is optional. Configuration

# files found in the installation folder are automatically deemed

# secure. On UNIX a configuration file is deemed secure if it resides

# in /etc or /usr/etc.

;SECURE=0

#########################################################################

#########################################################################

# A NOTE ABOUT COMMANDS

#########################################################################

#

# Options ending in CMD, such as REGAPPSCMD, are handled as follows:

# a. If one or more options with the same value are provided in this

# configuration file each command will be executed when the

# particular event occurs.

# b. If multiple commands are present they are execute in the order

# they appear in this file and each command must finish before

# the next will be started.

# c. On Windows the commands are launched in hidden windows.

#

# For example, to cause 2 additional commands to run when the user

# selects Register with Applications you would add 2 REGAPPSCMD= lines

# to this file like so:

# REGAPPSCMD="C:\My Program\mp1.exe" -L "%TEMP%\logfile.txt"

# REGAPPSCMD="C:\My Program\mp2.exe" -L "%TEMP%\logfile.txt"

# When the event occurs mp1.exe will be executed followed by mp2.exe

#

# Please see the User's Guide for complete details

#########################################################################

Figure 23: A Sample CSPid

Configuration File with Default Settings


82

NOTE: On Windows, environment variables may be referenced in the configuration file as illustrated in

the above example. On UNIX, replace %VAR% with the conventional $VAR to dereference an

environment variable named VAR. These variables are expanded prior to use.


83

11. Appendix B: Supported PKCS #11 Mechanisms

The following mechanisms are supported through the CSPid PKCS #11 interface.

CKM_RSA_X_509

CKM_RSA_PKCS

CKM_RSA_PKCS_KEY_PAIR_GEN

CKM_ECDH1_DERIVE

CKM_ECDH1_COFACTOR_DERIVE

CKM_EC_KEY_PAIR_GEN

CKM_ECDSA

CKM_SHA_1

CKM_SHA256

CKM_SHA384

CKM_SHA512

CKM_AES_CBC

CKM_AES_ECB


84

12. Appendix C: The PKCS #15 Key Storage Format

CSPid maintains a key store consisting of a single PKCS #15 PDU containing certificates, private keys,

public keys, and their associated attributes. This PDU is currently stored on the user’s file system (local

disk, removable media, or network drive). Future versions of CSPid may allow the key store PDU to be

stored in alternate locations (such as in a network-accessible database).

12.1. PKCS #15

PKCS #15 specifies syntax for storage of objects, syntax for protecting the confidentiality of sensitive

objects, and a method to ensure the integrity of these objects. A brief summary of those aspects of the

standard used by CSPid is presented below. For more information we refer the reader to the PKCS #15

standards document.

12.2. Object Syntax

PKCS #15 specifies an ASN.1 encoding format for all objects. For software-tokens a single flat file

containing an ASN.1 DER-encoded sequence of objects is generated. This object is defined as a

PKCS15Token. It is made up of a list of key IDs and a list of objects. The key IDs uniquely label the

encrypted objects. A sample PKCS #15 PDU is presented in Appendix D: A Sample PKCS #15 Key Store.

12.3. Confidentiality

PKCS #15 specifies the use of CMS as defined in RFC 3852 using passwords for confidentiality. RFC

3852 specifies that a key-encryption key (KEK) be derived from a password and used to encrypt the

content-encryption key (CEK). The KEK is to be derived from a password according to PKCS #5 v2.0

using PBKDF2. CSPid uses a random salt and an iteration count of 2048 when performing PBKDF2.

CSPid deviates slightly from PKCS #15 and PKCS #5 by using AES-256 in CBC mode (rather than

TDES) for encryption of private objects within the PKCS #15 PDU as specified by RFC 3565 and RFC

3394. RFC 3394 is based on the NIST AES Key Wrap specification. For compatibility with the only

known third party implementation of PKCS #15, CSPid will also support the RFC 3211 mechanism for

decryption only.

Private key objects are encrypted using the algorithms and formats described in the previous paragraph.

The output produced is a CMS EnvelopedData structure that is included, with additional information, in

the eventual PKCS15Token PDU that is saved in the active key store.


85

12.4. Integrity

PKCS #15 stipulates the use of CMS as defined in RFC 3852 for assuring the integrity of the PDU.

Specifically, it requires the creation of a CMS enveloped authenticatedData PDU containing both the

PDU and a computed MAC value over it. CSPid

uses HMAC-SHA512 as defined in RFC 4231 with a

random key for the MAC operation, and then wraps the random HMAC key using AES-256 in the same

manner as for the CEK as described above (i.e., with a key derived from the user’s password according to

PKCS #5 v2.0 and PBKDF2.)

12.5. Initialization

When first started, or when the active key store cannot be opened, the PKCS #11 library creates an empty

PKCS #15 PDU and appropriate enveloped authenticatedData structure with a default password of

“PASSWORD” unless otherwise specified in the configuration file (see section 3.5). When the CSPid

management tool detects that the user has not previously set a password, it forces the user to do so. The

user can subsequently use the included utilities to change their password.


86

13. Appendix D: A Sample PKCS #15 Key Store

This appendix contains a sample CSPid key store file. The original binary PKCS #15 PDU has been

“pretty printed” using GUIDumpASN.1.

0000 30 96F: SEQUENCE {

0004 06 B: OBJECT IDENTIFIER authData (1 2 840 113549 1 9 16 1 2)

0011 A0 95E: [0] {

0015 30 95A: SEQUENCE {

0019 02 1: INTEGER 0

001C 31 5B: SET {

001E A3 59: [3] {

0020 02 1: INTEGER 0

0023 A0 1B: [0] {

0025 06 9: OBJECT IDENTIFIER pkcs5PBKDF2 (1 2 840 113549 1 5 12)

0030 30 E: SEQUENCE {

0032 04 8: OCTET STRING

: FD D3 C8 2D E1 60 08 AC

003C 02 2: INTEGER 2048

: }

: }

0040 30 D: SEQUENCE {

0042 06 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 1 45'

004D 05 0: NULL

: }

004F 04 28: OCTET STRING

: 1A 2A 61 A5 79 09 15 0E 72 14 D5 9A BB 31 1B 1D

: 9D B0 C8 B2 3A 85 A4 84 70 60 FC B8 D4 EE 43 54

: ED 5A FC C9 56 F8 8E 91

: }

: }

0079 30 C: SEQUENCE {

007B 06 8: OBJECT IDENTIFIER '1 2 840 113549 2 11'

0085 05 0: NULL

: }

0087 A1 D: [1] {

0089 06 9: OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)

0094 05 0: NULL

: }

0096 30 897: SEQUENCE {

009A 06 A: OBJECT IDENTIFIER pkcs15content (1 2 840 113549 1 15 3 1)

00A6 A0 887: [0] {

00AA 30 883: SEQUENCE {

00AE 06 A: OBJECT IDENTIFIER

: pkcs15content (1 2 840 113549 1 15 3 1)

00BA A0 873: [0] {

00BE 30 86F: SEQUENCE {

00C2 02 1: INTEGER 0

00C5 30 868: SEQUENCE {

00C9 A0 36C: [0] {

00CD A0 368: [0] {

00D1 30 364: SEQUENCE {

00D5 30 2E: SEQUENCE {

00D7 0C 28: UTF8String

'90c72555f6a105c071ec670be04120b4350831a3'

0101 03 2: BIT STRING 7 unused bits

: '1'B (bit 0)

: }

0105 30 21: SEQUENCE {


87


: 90 C7 25 55 F6 A1 05 C0 71 EC 67 0B E0 41 20 B4

: 35 08 31 A3

011D 03 2: BIT STRING 5 unused bits

: '110'B

0121 01 1: BOOLEAN FALSE


: '1001'B

: }

0128 A1 30D: [1] {

012C 30 309: SEQUENCE {

0130 A2 302: [2] {

0134 02 1: INTEGER 2

0137 31 5B: SET {

0139 A3 59: [3] {

013B 02 1: INTEGER 0

013E A0 1B: [0] {

0140 06 9: OBJECT IDENTIFIER

: pkcs5PBKDF2 (1 2 840 113549

1 5 12)

014B 30 E: SEQUENCE {

014D 04 8: OCTET STRING

: 46 B7 36 0C F7 84 7B C7

0157 02 2: INTEGER 2048

: }

: }

015B 30 D: SEQUENCE {

015D 06 9: OBJECT IDENTIFIER '2 16 840 1

101 3 4 1 45'

0168 05 0: NULL

: }

016A 04 28: OCTET STRING

: EF CC 57 56 44 9A 51 AD FC 4F 6B E6 2D 34 69 0A

: A9 28 D6 F0 D8 70 CD 99 12 90 4A 61 43 D3 63 ED

: 08 37 91 26 00 40 E5 89

: }

: }

0194 30 29E: SEQUENCE {


: data (1 2 840 113549 1 7 1)

01A3 30 1D: SEQUENCE {

01A5 06 9: OBJECT IDENTIFIER

: aes256-CBC (2 16 840 1 101 3

4 1 42)

01B0 04 10: OCTET STRING

: E3 A4 4E 34 FB 0F AF A1 43 92 FD D6 B6 FA 2E B9

: }

01C2 80 270: [0]

: 0E E4 36 24 12 77 55 BE 0E 24 CA F1 B2 7C 6F AE

: 96 1B B6 F1 1B 6E 71 F1 CD 97 D9 F1 4B E1 D5 30

: E6 B7 98 9A C8 7F 4E 17 15 5C CF F3 C7 39 D3 2B

: 62 AE B0 BA 31 72 E4 FC 6C 3A 69 AF BB 9B 43 54

: 54 CB F1 01 F2 EA 4E 87 BB DB BD D7 E8 7F 38 AF

: F3 54 1D A4 6F 47 07 D1 D9 75 64 A5 EF D4 66 10

: 6A EC 51 41 E8 3D 02 3B 8E F6 B7 7D 08 28 03 72

: 09 65 30 B3 38 91 D2 4C 70 5E 57 3C 21 38 40 DC

: [ Another 496 bytes skipped ]

: }

: }

0436 02 1: INTEGER 0

: }

: }

: }


88

: }

: }

0439 A1 105: [1] {

043D A0 101: [0] {

0441 30 FE: SEQUENCE {

0444 30 2A: SEQUENCE {

0446 0C 28: UTF8String

'90c72555f6a105c071ec670be04120b4350831a3'

: }

0470 30 21: SEQUENCE {


: 90 C7 25 55 F6 A1 05 C0 71 EC 67 0B E0 41 20 B4

: 35 08 31 A3


: '1000001'B

048C 01 1: BOOLEAN FALSE

048F 03 2: BIT STRING 4 unused bits

: '1000'B (bit 3)

: }

0493 A1 AC: [1] {

0496 30 A9: SEQUENCE {

0499 A0 A2: [0] {

049C 30 9F: SEQUENCE {

049F 30 D: SEQUENCE {


: rsaEncryption (1 2 840 113549

1 1 1)

04AC 05 0: NULL

: }

04AE 03 8D: BIT STRING 0 unused bits,

encapsulates {

04B2 30 89: SEQUENCE {

04B5 02 81: INTEGER

: 00 CB 62 73 50 C9 5D 79 71 64 E9 D1 87 07 D3 88

: AB D6 A1 57 4D CF 34 C2 B8 04 E2 F4 3E EA 71 B4

: 1E 47 9F F3 3E 6C AD A6 9E 26 E4 F4 08 52 A1 E6

: 37 A7 02 B9 24 3E A3 47 5B 95 EB 8A 5F A4 C7 8B

: 79 DC BB D6 30 22 AB 10 B4 5E 05 1A 84 A7 4B 9F

: CF 8E 15 C8 6F 0B D4 75 63 A0 A6 C9 8C BD 96 6D

: 0B 9B 63 5C A3 2B 20 6F 55 98 27 88 91 49 1A E3

: D5 11 30 9E 09 3A 46 91 00 4F 9F 45 10 B5 5C 44


0539 02 3: INTEGER 65537

: }

: }

: }

: }

053E 02 2: INTEGER 1024

: }

: }

: }

: }

: }

0542 A4 3EB: [4] {

0546 A0 3E7: [0] {

054A 30 3E3: SEQUENCE {

054E 30 2A: SEQUENCE {

0550 0C 28: UTF8String

'90c72555f6a105c071ec670be04120b4350831a3'

: }

057A 30 16: SEQUENCE {

057C 04 14: OCTET STRING

: 90 C7 25 55 F6 A1 05 C0 71 EC 67 0B E0 41 20 B4


89

: 35 08 31 A3

: }

0592 A1 39B: [1] {

0596 30 397: SEQUENCE {

059A 30 393: SEQUENCE {

059E 30 27B: SEQUENCE {

05A2 A0 3: [0] {

05A4 02 1: INTEGER 2

: }

05A7 02 14: INTEGER

: 08 16 D8 EA 0C 26 68 6B 7F 5F F6 9D D6 52 F0 B2

: 58 A4 74 EB

05BD 30 D: SEQUENCE {

05BF 06 9: OBJECT IDENTIFIER

: sha1withRSAEncryption (1 2

840 113549 1 1 5)

05CA 05 0: NULL

: }

05CC 30 B2: SEQUENCE {

05CF 31 B: SET {

05D1 30 9: SEQUENCE {

05D3 06 3: OBJECT IDENTIFIER

: countryName (2 5 4 6)

05D8 13 2: PrintableString 'US'

: }

: }

05DC 31 B: SET {

05DE 30 9: SEQUENCE {

05E0 06 3: OBJECT IDENTIFIER

: stateOrProvinceName (2 5

4 8)

05E5 13 2: PrintableString 'IL'

: }

: }

05E9 31 23: SET {

05EB 30 21: SEQUENCE {

05ED 06 3: OBJECT IDENTIFIER

: organizationName (2 5 4

10)

05F2 13 1A: PrintableString

'Information Security Corp.'

: }

: }

060E 31 11: SET {

0610 30 F: SEQUENCE {


: localityName (2 5 4 7)

0617 13 8: PrintableString 'Oak Park'

: }

: }

0621 31 21: SET {

0623 30 1F: SEQUENCE {


: organizationalUnitName (2

5 4 11)

062A 13 18: PrintableString 'Research

and Development'

: }

: }

0644 31 14: SET {

0646 30 12: SEQUENCE {


: commonName (2 5 4 3)


90

064D 13 B: PrintableString 'ISC Test

CA'

: }

: }

065A 31 25: SET {

065C 30 23: SEQUENCE {

065E 06 9: OBJECT IDENTIFIER

: emailAddress (1 2 840

113549 1 9 1)

0669 16 16: IA5String

'[email protected]'

: }

: }

: }

0681 30 1E: SEQUENCE {

0683 17 D: UTCTime '061109000000Z'

0692 17 D: UTCTime '071109000000Z'

: }

06A1 30 B5: SEQUENCE {

06A4 31 B: SET {

06A6 30 9: SEQUENCE {


: countryName (2 5 4 6)

06AD 0C 2: UTF8String 'US'

: }

: }

06B1 31 29: SET {

06B3 30 27: SEQUENCE {

06B5 06 3: OBJECT IDENTIFIER

: organizationName (2 5 4

10)

06BA 0C 20: UTF8String 'Information

Security Corporation'

: }

: }

06DC 31 1E: SET {

06DE 30 1C: SEQUENCE {

06E0 06 3: OBJECT IDENTIFIER


5 4 11)

06E5 0C 15: UTF8String 'R&D (no

assurance CA)'

: }

: }

06FC 31 12: SET {

06FE 30 10: SEQUENCE {



5 4 11)

0705 0C 9: UTF8String 'Test CA 1'

: }

: }

0710 31 18: SET {

0712 30 16: SEQUENCE {


: commonName (2 5 4 3)

0719 0C F: UTF8String 'Test P12

Import'

: }

: }

072A 31 2D: SET {

072C 30 2B: SEQUENCE {



91

: emailAddress (1 2 840

113549 1 9 1)

0739 16 1E: IA5String

'[email protected]'

: }

: }

: }

0759 30 9F: SEQUENCE {

075C 30 D: SEQUENCE {


: rsaEncryption (1 2 840

113549 1 1 1)

0769 05 0: NULL

: }

076B 03 8D: BIT STRING 0 unused bits,

encapsulates {

076F 30 89: SEQUENCE {

0772 02 81: INTEGER

: 00 CB 62 73 50 C9 5D 79 71 64 E9 D1 87 07 D3 88

: AB D6 A1 57 4D CF 34 C2 B8 04 E2 F4 3E EA 71 B4

: 1E 47 9F F3 3E 6C AD A6 9E 26 E4 F4 08 52 A1 E6

: 37 A7 02 B9 24 3E A3 47 5B 95 EB 8A 5F A4 C7 8B

: 79 DC BB D6 30 22 AB 10 B4 5E 05 1A 84 A7 4B 9F

: CF 8E 15 C8 6F 0B D4 75 63 A0 A6 C9 8C BD 96 6D

: 0B 9B 63 5C A3 2B 20 6F 55 98 27 88 91 49 1A E3

: D5 11 30 9E 09 3A 46 91 00 4F 9F 45 10 B5 5C 44


07F6 02 3: INTEGER 65537

: }

: }

: }

07FB A3 20: [3] {

07FD 30 1E: SEQUENCE {

07FF 30 E: SEQUENCE {


: keyUsage (2 5 29 15)

0806 01 1: BOOLEAN TRUE

0809 04 4: OCTET STRING, encapsulates

{

080B 03 2: BIT STRING 3 unused

bits

: '10111'B

: }

: }

080F 30 C: SEQUENCE {


: basicConstraints (2 5 29

19)

0816 01 1: BOOLEAN TRUE

0819 04 2: OCTET STRING, encapsulates

{

081B 30 0: SEQUENCE {}

: }

: }

: }

: }

: }

081D 30 D: SEQUENCE {

081F 06 9: OBJECT IDENTIFIER

: sha1withRSAEncryption (1 2 840

113549 1 1 5)

082A 05 0: NULL

: }


92

082C 03 101: BIT STRING 0 unused bits

: 12 18 19 5F 0D 48 F9 EA E7 46 07 2D E5 DB AE 8C

: 27 5A 94 DB 5C EC 11 86 F4 D0 56 D4 EE BB 6E 7F

: 5D D4 E0 86 30 F3 1F 36 4D 72 0D 70 A4 98 3F C7

: 00 EA 85 49 C0 0A A8 72 74 E3 FE 53 28 96 46 87

: 5B FA B0 14 FF 1C 59 17 F3 0D 15 A7 40 74 3F BB

: 42 B8 75 96 85 15 BD F0 8E 2B E1 BE 00 67 BB 77

: A4 AF B0 22 98 C0 98 F9 4B 3B F3 E1 E7 4C 58 B3

: 5F CB 98 A4 12 0F EA 86 6A 69 2D 47 A1 D0 61 D0


: }

: }

: }

: }

: }

: }

2BBF A7 EB: [7] {

2BC2 A0 E8: [0] {

2BC5 30 E5: SEQUENCE {

2BC8 30 21: SEQUENCE {

2BCA 0C 1F: UTF8String 'CSPid P15 Stored Options

Object'

: }

2BEB 30 0: SEQUENCE {}

2BED A1 BD: [1] {

2BF0 30 BA: SEQUENCE {

2BF3 30 9: SEQUENCE {

2BF5 04 1: OCTET STRING

: 00

2BF8 04 4: OCTET STRING

: 09 01 05 82

: }

2BFE 30 6: SEQUENCE {

2C00 04 1: OCTET STRING

: 01


: 01

: }

2C06 30 24: SEQUENCE {


: 03

2C0B 04 1F: OCTET STRING 'CSPid P15 Stored

Options Object'

: }

2C2C 30 1A: SEQUENCE {

2C2E 04 2: OCTET STRING

: 01 02


: 31 CD 33 B7 F0 6E 12 7E 05 F3 9C BF 73 BC C5 5F

: F2 2C BA AB

: }


2C4A 04 2: OCTET STRING

: 01 64

2C4E 04 1: OCTET STRING

: 01

: }



: 01 65


: 00

: }


93

2C5A 30 17: SEQUENCE {

2C5C 04 4: OCTET STRING

: 82 05 01 10

2C62 04 F: OCTET STRING, encapsulates {

2C64 17 D: UTCTime '061218153524Z'

: }

: }



: 82 05 01 11

2C7B 04 30: OCTET STRING

: 51 AB B9 63 60 78 DE FB 5F C8 A0 3E 2F 9F E3 A9

: D1 0B C1 79 FF 24 57 71 A9 BA 4B 23 90 31 BB 86

: 92 73 13 3F D2 28 2B 59 D6 9B 1C 54 39 5E 0B 37

: }

: }

: }

: }

: }

: }

: }

: }

: }

: }

: }

: }


: A8 43 47 83 D3 03 24 7D BA 25 99 31 FA E5 D0 00

: 3D 66 40 FA 96 76 10 58 2D B6 4A E4 2D FA 53 91

: 75 92 AA 55 17 1D CF 11 48 C0 3E 2B FB 75 00 31

: 4B 62 99 8D B7 DA 5E E5 40 40 39 E5 0F 18 86 8B

: }

: }

: }