CodeSafe 5 Application Authentication

The developer of a CodeSafe 5 application (the "Developer") uses the following keys:

The Developer ID key belongs to a company or other organization, and that organization has an active nShield support contract or similar relationship with Entrust. Entrust issues a Developer ID Certificate, which is an X.509 certificate binding the Developer ID key to a organization name, location, and DNS domain name ("Common Name").

Application Signing Keys are owned by the Developer’s organization, and should be distinct for each CodeSafe 5 application they produce.

An ASK is associated with an 'Package Name', which is a short name for the application, assigned by the Developer. Taken together, the Package Name and Common Name form a unique identifier for that application, which is cryptographically assured through the authentication mechanism.

A central feature of CodeSafe is the ability to restrict use of Security World keys to specific CodeSafe images. For Solo XC and earlier HSMs, this was done by signing the machine image (actually, signing the userdata associated with the machine) using a seeinteg key, and then referring to the key-hash of that seeinteg key in the Access Control List (ACL) of another Security World key. For instance, this can be done by using generatekey with the seeintegname or --trusted-certifier options (see Working with keys).

When the CodeSafe machine wishes to use a key which is restricted in this way, it adds a CertType_SEECert certificate to the nCore API commandas described in the Command Certificates documentation.

In CodeSafe 5, the Application Signing Key’s identity is available to authorize actions. When creating keys with generatekey, the ASK’s key name can be used for the seeintegname parameter, or its hash passed as the --trusted-certifier value. The ASK key hash can then be used in CertType_SEECert command certificates.

However, in some situations it is desirable to use existing Security World keys created for Codesafe XC applications, i.e. to use an existing seeinteg key’s identity for command authorization rather than a new ASK. To do this, the existing seeinteg key can be used to add an additional signature on the CodeSafe 5 machine image. For details see the csadmin image signextra command.

As the diagram above shows, X.509 certificates (the Developer ID and Issuing CA certificates) are not placed in the .cs5 file itself. Instead, the HSM maintains a certificate database, separate from the CodeSafe 5 machine image itself. The following commands access that database:

These are described in detail at Developer Identity management.

It is possible to have more than one certificate for the same Developer ID key (e.g. with different validity dates) loaded. The validation procedure (described below) will accept any such certificate that is currently valid.

The diagram above shows that the Developer ID key signs an AppKeyCertificate record, but it is not involved in creating a signature on the application itself. This allows the Developer ID key to be kept in a separate environment to the ASK; it is only necessary to use the Developer ID key when an ASK is first created. After that, the AppKeyCertificate can be stored and reused repeatedly. Only the ASK needs to be available when creating the signed .cs5 file.

The workflow for using the Developer ID key in a separate (e.g. offline) environment is as follows:

These operations need a Developer ID certificate file to be available in both environments, but note this is just used to identify the Developer ID key; it does not form part of the signed .cs5 file.

The contents of a .cs5 file are validated when it first loaded onto the HSM (using csadmin create), and when the machine is started (using csadmin start, or when the HSM boots if auto-start is enabled).

Validation of a .cs5 file consists of the following steps: